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W3C Seeks Open Dialog About 
Next-Generation HTML 



Controversial 
UAC Spawns 
Alternatives 



BY DAVID W0RTHINGT0N 

Microsoft says that Windows 
Vista is the most secure version of 
Windows yet. That claim may 
have some teeth: The company 
has built in a bevy of new tech- 
nologies to harden Windows. 
One of them, the Windows Vista 
UAC (User Account Control), is 
sparking debate about just how 
sharp those teeth are. 

Past versions of Windows gave 
users administrative-level rights 
by default, but Windows Vistas 
UAC requires users to run with a 
standard-level user access token. 
Applications, components and 
processes that require elevated 
privileges cause Windows to noti- 
fy users that administrative autho- 
rization is necessary, who must 
then supply appropriate creden- 
tials or stop what they are doing. 

Microsoft designed UAC as a 
failsafe, to limit the damage mali- 
cious software can cause to a sys- 
tem, and is uniform across every 
Windows Vista version. But does 
UAC make sense in a business 
environment? 

THE PRIVILEGED MANY 

Although Microsoft added restric- 
ted-access accounts in 1997 s Win- 
dows NT, some internal and 
shrink-wrapped enterprise appli- 
cations still require elevated 
privileges to run correctly on 
Windows, because they were en- 
continued on page 24 ► 



BY DAVID W0RTHINGT0N 

The World Wide Web Consor- 
tium announced in March that it 
is rechartering the HTML Work- 
ing Group to solicit input from 
both software vendors and Web 
developers to flesh out the next 
incarnation of HTML. The 
XHTML 2.0 Working Group was 
also rechartered and spun off to 
work more independently. 

The first public working draft 
of the HTML revision is sched- 
uled for June of this year but will 
not be finalized until the end of 
2010. XHTMLs public working 
draft has undergone several revi- 
sions, but formalization is nebu- 
lous, partly because the groups 



Spec 



'It's time to revisit the standard and see what 
we can do to meet the current community 
needs...with commitments from browser 
manufacturers in a visible and open way. ' 

— Tim Berners-Lee, director of the World Wide Web Consortium 



I 

proposed changes will impact 
the way that developers work. 

The W3C has guided the evo- 
lution of the lingua franca of the 
Web from HTML 3.2 onward. 
Some Web developers have pub- 
licly complained that they were 
shut out of the 4.01 Working 
Group and asserted that browser 
vendors were given too much 



clout. Chris Wilson, platform 
architect of the Internet Explorer 
platform team at Microsoft, was 
once chair of the working group. 

Swedish Web developer Roger 
Johansson wrote for his 456 Berea 
Street blog, "I am very uncomfort- 
able with a Microsoft representa- 
tive being the chair of what is pos- 
sibly the most important Working 



Group of the W3C, and definitely 
the most visible one." 

ZapThink analyst Ron 
Schmelzer explained that the 
developers' biggest complaint is 
that vendors are motivated to 
change or include things in the 
standards that benefit their prod- 
ucts, and that they did not have 
any direct input into the standards. 

"Users care more about 
usability. Involving developers 
in the standard will help not just 
the products that support the 
standards but also the people 
that have to live with them," 
said Schmelzer. 

The upcoming specification 
continued on page 24 ► 
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For on-the-Job Training, 
Games Becoming All Business 
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Analyst: Code Scanning 
Won't Stand on Its Own 

Shift seen in security market 



BY ALEX HANDY 

When Fortify purchased rival 
Secure Software in January, it 
was the first major business 
move by a player in the market 
for application code security 
scanning. Now, more than two 
months later, at least one analyst 
sees the move as indicative of a 
broader shift in the application 
security assurance space. 

Andrew Jaquith, program 
manager for the Yankee Group s 
enabling technologies enterprise 
group, released a white paper in 



March that took an in-depth look 
at the Fortify deal, and placed 
the acquisition into the broader 
setting of the software security 
market as a whole. 

Jaquith asserts that Secure 
Software was having trouble 
gaining traction in the market- 
place during its five-year history. 
According to Jaquith, Secure 
Software never matched the 
amount of venture capital it 
raised with cumulative revenues, 
a fact that Jaquith attributes to 
continued on page 22 ► 
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Red Hat Enterprise Linux 5 Arrives 



BY ALEX HANDY 

The Linux world has a new 
version of Red Hat to toy with. 
Red Hat Enterprise Linux 5 
shipped to users on March 14, 
and the company says that the 
new release is specifically 
focused on virtualization. 

With new management 
tools to provision and adminis- 
ter virtual machines, Red Hat 
Enterprise Linux 5 is targeted at 
servers, although a desktop ver- 
sion of the new operating sys- 
tem is available. Red Hat is also 
offering joint support with 
third-party vendors. 

The primary new feature in 
Red Hat Enterprise Linux 5 
(RHEL5) is the inclusion of Xen 
virtualization tools. Through the 
addition of new management 
consoles and tighter integration 
with the open source virtualiza- 
tion software, Red Hat hopes to 
slim down IT costs by putting 
existing infrastructure to better 
use. Although Xen is the official- 
ly bundled solution for virtual- 
ization, Red Hat representatives 
said that EMC s VMware is still 
an option for RHEL5 users 
looking for more robust virtual- 
ization offerings. However, 
VMware users will have to buy a 
bare-bones distribution of 
RHEL 5, and install VMware. 

SERVICE NO OBSTACLE 

After Oracle announced that it 
would begin selling service and 
support contracts for Red Hat 
Linux last fall, many investors 
initially saw the move as harmful 
to Red Hat. But Brent Williams, 
independent analyst and former 
Gartner researcher, said that 
Oracle s move into the support 
world has had little to no effect 
on Red Hat customers. 

Williams said that, soon after 
the Oracle support announce- 
ment, Red Hat's stock price 
plummeted. "Red Hat reported 
earnings after 90 days, and they 
blew away the numbers. [The 
stock] went back in the other 
direction as fast as it had sunk. 
This didn't really have much 
effect on Oracle's [stock] price," 
said Williams. "Optimism has 
returned, and it hasn't really 
benefited Oracle." 

Iain Gray, Red Hat's vice 
president of global support ser- 
vices, agreed with Williams, say- 
ing Oracle's support offerings 
haven't made a dent in his com- 
pany's business. "It's not high on 
our radar," said Gray of Oracle's 



UNDER THE BRIM 



• Xen virtualization in all 
Server products. 

• New management tools for 
administrating virtualized 
machines. 

• Based on the Linux 2.6.18 
kernel. 

• Updated crash dump 
capability provided by 
Kexec/Kdump. 

• Kernel buffer splice 
capability for improved 
I/O buffer operations. 

Linux distribution, which is 
based on Red Hat's Linux. 

Red Hat will soon begin 
offering joint support capabili- 
ties, so that developers seeking 
support for Oracle databases on 
Red Hat Linux can contact Red 



• New audit features, including 
real-time network monitoring. 

• Improved Microsoft file 
sharing, printer sharing and 
Active Directory integration. 

• Smart card log-in, with 
PKI/Kerberos authentication. 

• Enhanced graphics using 
AIGLX/Compiz (with fading, 
transparency, etc.) 

• Enhanced application 
development tools, including 
SystemTap profiler and 
Frysk debugger. 

Hat as a single point of support. 
Red Hat support workers, said 
Gray, will now work as the go- 
between for customers who 
need stack and third-party appli- 
cation support. 

"Our partnerships can be 



viewed as a pyramid," said Gray. 
"What we're doing with this 
cooperative resolution center is 
defining the top of the pyramid 
and taking those relationships to 
the next level. We're agreeing to 
train each other on our respec- 
tive products. Symantec is the 
first we've agreed with. We will 
train Symantec on RHEL 5; they 
will train us on their storage 
products. It's a much, much 
deeper relationship than we've 
had in the past." 

BRIC BUILDING 

While Red Hat has also 
announced a new edition of its 
desktop operating system for 
enterprise users, Gray stated 
that the American desktop mar- 
ket is firmly in the hands of 
Microsoft, and that Red Hat 
prefers to push desktop Linux in 
the so-called BRIC (Brazil, Rus- 



sia, India and China) markets. 
Among the overseas initiatives 
to put Linux in the hands of the 
end user, Gray noted that Red 
Hat is the provider of the Linux- 
based operating system for the 
One Laptop Per Child program, 
a not-for-profit educational 
effort to bring technology to 
children around the world. 

Separately, Red Hat hinted at 
its future plans to offer an open 
source partnership program, the 
Red Hat Exchange. This site will 
launch later this year and will 
provide ratings and information 
on open source companies that 
offer software for Red Hat's Lin- 
ux platform. 

Red Hat also will offer ser- 
vice and support contracts for 
these products. The first compa- 
nies involved in this initiative 
include EnterpriseDB, MySQL 
and SugarCRM. I 



Enterprises Deal With Open Source Legalities 

Put lawyers with developers to ensure licenses, policies enforced 



BY ALEX HANDY 

SANTA CLARA — As open 
source software becomes 
increasingly common, many 
enterprises are finding that they 
can save time by building busi- 
ness applications on top of 
existing frameworks and 
libraries. But that, experts say, 
could have one major conse- 
quence for enterprises: bring- 
ing lawyers into the develop- 
ment process. 

At the recently concluded 
EclipseCon conference held 
here, many companies ex- 
changed ideas on how best to 
deal with open source software 
and licenses when building 
commercial and internal appli- 
cations. While there were many 
different solutions offered by 
managers and executives, the 
majority of the solutions in- 
volved the practice of closely 
integrating a lawyer into the 
software development process. 

Steve Gerdt, open source 
program director for IBM, said 
that legal review is crucial when 
building on top of open source 
tools, but added that proper 
instruction is important as well. 

"You need to tell the folks 
who are getting involved what is 
open source, and go through 
the basic terms and conditions 
of the licenses," Gerdt said. 
"You also need a process to 



review the open source soft- 
ware that's used. We started 
back in 1999 with our review 
process. It grew from a handful 
of proposals a month in 2000, to 
where, now, we get maybe 50 
proposals a month." 

Gerdt said that the internal 
review board at IBM includes 
both lawyers and top-level pro- 
grammers. While the practice 
initially took time to optimize, 
he said, the commonality of 
open source licenses makes the 
review process quick and easy 
now that it is mature. 

Pieter Humphrey, senior 
product marketing manager at 
BE A Systems, said that internal 
open source review boards are 
best coupled with other internal 
review boards and processes. 
"I think in some cases, in large 
companies that aren't siloed and 
you have one single managing 
committee, that can be a 
great way to engage with legal." 
He added, however, that single 
review boards can become 
bottlenecks if they are not 
quick, agile and able to respond 
quickly to new scenarios. 

Gerdt agreed. "As we've 
grown, we've really created 
teams close to our development 
teams. Typically, that involves 
one attorney who is an open 
source expert," said Gerdt. 
"With [our] guidelines and poli- 




I 



A formal open source review 
process is critical before software 
is deployed, says IBM's Gerdt. 

cies [in place], a lot of what we 
do today is very straightforward. 
We have specific guidelines and 
review categories for what has 
to go to corporate review. I'd say 
80 percent [of reviews] are han- 
dled on the team level. Clearly 
if you have just one team and 
two attorneys, that'll be a huge 
bottleneck." 

A formal open source review 
process is absolutely critical to 
successful development in the 
modern software environment, 
said Gerdt. 

Humphrey noted that many 
enterprises still create a blanket 
policy that forbids the use of 
any open source software with- 



in software development teams. 

But Humphrey said that this 
type of policy is a sure path to 
failure. Citing what he called 
"decentralized open source 
creep," Humphrey stated that 
forbidding the use of open 
source software will only exac- 
erbate the problem, as develop- 
ers scurry to cover their tracks 
and hide what open source soft- 
ware they are using. 

Black Duck Software founder 
and CEO Doug Levin said that 
most open source software 
used in enterprises is there 
because low-level developers 
wanted to try out the hip new 
thing on the scene, not because 
a lawyer or manager gave his or 
her team a mandate. He said 
that the solution to this is edu- 
cating corporate lawyers in the 
ways of the GPL. 

"Among the tech companies, 
there's a particular fear of conta- 
mination of the proprietary 
nature of their software. Corpo- 
rations are just generally afraid 
of lions and tigers and bears; 
that explains the typically irra- 
tional approach to open source," 
said Levin. "This is mainly due 
to their attorneys' not being 
educated about open source 
software. This has changed over 
the years, as more and more 
information is available through 
the attorney channels." I 
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IBM Extends Its SOA 
QA Product Portfolio 



BY DAVID WORTHINGTON 

As an increasing number of 
companies reuse and realign 
their existing technology infra- 
structure as SOAs, quality man- 
agement solutions are becoming 
indispensable. IBM claims that 
only it can supply organizations 
with the end-to-end approach to 
define processes and ensure the 
quality that they need before 
deploying SOA implementa- 
tions into infrastructure. 

Scott Hebner, vice president 
of marketing and strategy for 
IBM Rational, said that the 
broader story is what IBM is 
doing to help customers lever- 
age SOA: Two new IBM Ratio- 
nal products that test the per- 
formance, functionality and 
scalability of Web services-based 
applications were made avail- 
able worldwide on March 27. 

IBM's approach is to make 
quality management contigu- 
ous throughout the SOA life 
cycle, from what it calls the five 
entry points (people, processes, 
information, connectivity and 
reuse) to the governance opera- 
tional life cycle. 

IBM's Rational Tester for 
SOA Quality is designed to sim- 
plify testing for GUI-less ser- 
vices. If services have no GUIs, 
the tool queries the services and 
generates interfaces, against 
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Rational generates performance reports for Web services. 



which loads are run. It also tests 
interactions between services 
and identifies functional bottle- 
necks, setting baselines for 
regression tests. 

Business Process Execution 
Language workflows may be 
exported into Rational, auto- 
matically generating tests cases. 
More complex test suites can 
be generated using Java code. 
Session IDs are used to unique- 
ly identify transactions; Ratio- 
nal recognizes and tracks the 
IDs. 

Rational Tester for SOA 
Quality extends IBM's Rational 
Functional Tester with automat- 
ic data correlation that identifies 



WebSphere Gets 'Edgy' 
With Google Gadgets 



BY DAVID WORTHINGTON 

In what could be thought of as a 
case of "The enemy of my enemy 
is my friend," IBM will integrate 
Google Gadgets into its Web- 
Sphere portal catalog in April. 
Consequently, more than 4,000 
Google Gadgets will be exposed 
in WebSphere Portal and Web- 
Sphere Portal Express Version 
6.0, as ready-to-use services that 
may be inserted into portlets. 

Google Gadgets will com- 
plement the existing portlets 
with information pulled from 
the Web, such as maps from 
Google Maps, package delivery 
trackers or data from the inde- 
pendent Economics Search 
Engine. The Gadgets integrate 
into portlets and both are 
housed within WebSphere por- 



tals, which host the composite 
applications. Composite appli- 
cations built on the gadget- 
portlet mashup will then run on 
WebSphere. 

"This is a case of two giants 
teaming up. It's IBM and 
Google against Microsoft. 
Google gets IBM's blessing and 
solidifies its already extremely 
dominant position in this space. 
IBM gets linked with the very 
edgy Google," said Yankee 
Group analyst Laura DiDio. 

"What remains to be seen is 
whether both companies will 
work hard to make it happen," 
DiDio continued. "In this case, 
they both have a big stake in this 
space. This leaves Microsoft to 
play catch-up" with Windows 
Live Services, she added. I 



where the unique ID is needed, 
and for which Web service. 

Another of IBM's new prod- 
ucts, Rational Performance 
Tester Extension for SOA Qual- 
ity, targets performance-testing 
teams. It focuses on workload 
modeling to validate scalabili- 
ty — and bottleneck detection. 
Response times are tabulated 
using Application Response 
Measurement trace data, gener- 
ated by Rational Tester for SOA 
Quality, or by importing IBM 
Tivoli Monitoring resource 
times. Reporting and diagnostic 
capabilities are built in as well. 

What's more, the perfor- 
mance testing extension moni- 
tors service interactions across 
Web services and tunes perfor- 
mance against scenarios. Like 
Rational Tester for SOA Quality, 
Java can be added for customiz- 
ing tests with insertions. 

Rounding out the SOA port- 
folio, IBM Tivoli Composite 
Application Manager has been 
given new response-time and 
application-management dash- 
boards that are populated with 
real-time performance data. It 
handles performance and trans- 
actional modeling for services 
that are already in production. 
Data from Tivoli can be fed into 
testing tools that perform more 
in-depth diagnostics. 

IBM will provide supple- 
mental technology services for 
SOA implementations by mid- 
year that will include guidance 
and monitoring, as well as test 
planning, management and 
execution, as part of the service. 
Its next step is to build an 
ecosystem for business partners 
around its life-cycle platform. I 
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Teamprise has joined the Eclipse Foundation as an add-in provider. The 
company makes software for accessing Microsoft's Visual Studio 2005 
Team Foundation Server from within Eclipse . . . Security software and 
services supplier SPI Dynamics said it has joined the Open Web Appli- 
cation Security Project (OWASP). The company also said it will support 
the OWASP Site Generator (OSG) project, which allows dynamic Web 
sites to be built based on XML and predefined vulnerabilities. The OSG 
can be used by QA and development teams to learn more about Web 
application security . . . Search engine developer Krugle has part- 
nered with CollabNet to give developers on that platform the ability to 
more easily search for code and related information. The search ser- 
vice also is available through openCollabNet, the online community, 
and at Tigris.org, where the Subversion SCM project resides. 



NEW PRODUCTS 



Worksoft has released Business Process Solutions for SAP, a code- 
free testing solution, to speed up SAP deploy- Vv*Or/cS ft 
ments. It integrates management, automation 
and framework to manage the SAP validation process across the 
enterprise . . . DataDirect Technologies has announced DataDirect 
XQuery. The product provides XQuery support for major relational 
databases. DataDirect claims that DataDirect XQuery is 99 percent- 
compliant with the specification and can handle XML files greater than 
50GB. It is available now for any Java platform. 



UPGRADES 



l-Metrix 



Parasoft has brought WebKing up to speed with AJAX. WebKing 6.0, 
made available in March, identifies where errors are introduced in 
AJAX applications. It enforces best practices to stamp out errors dur- 
ing development, determines whether errors are client- or server-side 
and generates JUnit tests . . . EDGAR Online has announced the 
release of l-Metrix 2.0, which adds Office 2007 support to the com- 
pany's tools for consuming data formatted in the Extensible Business 
Reporting Language. The new release 
also adds enhanced wizards for Microsoft 
Excel, footnote tagging and improvements to screening and valuation 
features . . .The source code from version 4.0 of the Microsoft Visual 
Studio 2005 SDK has been added to Koders' index of reusable code, 
the company announced. The Microsoft code examples and sample 
applications join more than 550 million lines of open source code that 
Koders' users can search and reuse . . . Doc-To Help 2007 vl, the lat- 
est version of the help authoring tool from ComponentOne, has a new 
search engine for NetHelp, a new "breadcrumb navigation" feature in 
HTML-based outputs that appears at the top of each topic and shows 
the navigation patch from the top-level topic, and a "generate PDF" 
button in Word manual outputs for the creation of PDF files . . . Intel- 
lectual property management software provider Palamida has 
expanded its repository of open source projects to more than 6,200 
and now can detect Python programming language software, which is 
important to companies basing their development on the Linux/ 
Apache/MySQL/PHP/Perl/Python (LAMP) stack ... SPI Dynamics, 
has updated its Assessment Management Platform to version 3, with 
a Web interface for collaboration as well as enterprisewide risk man- 
agement. The shared interface lets security experts work with devel- 
opers and QA on tests, without software installation and configuration 
issues. Application weighting, the new risk component, lets users pri- 
oritize and sort applications based on vulnerabilities and the impor- 
tance of the application to the business, according to the company. 



PEOPLE 



AccuRev, a software configuration management solution provider, has 
named David Jabs to the position of VP of engineering. Jabs will over- 
see product development. Most recently, Jabs was VP of engineering 
at Tibersoft, and was also a founding architect of what is now IBM 
Rational ClearCase when the SCM product was developed at Atria 
Software. I 
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All Work... But Some Play, Too 

Serious Games Summit shows off business applications for gaming 



BY ALEX HANDY 

Though you may love your job 
dearly it's unlikely that anyone 
reading this learned how to 
code in order to write enter- 
prise transaction engines. Many 
modern programmers started 
coding because of games. And, 
as the video-game generation 
has grown into today's man- 
agers and engineers, businesses 
have followed suit and begun to 
look at games as a way to solve 
serious business problems. 

Alcoa, one of the world's 
largest producers of aluminum, 
recently found that video games 
could serve business purposes. 
Last year, the company contract- 
ed with an outside game devel- 
opment firm, Etcetera Edutain- 
ment, to develop and build a 3D 
loading dock simulation for 
training purposes. It is in beta 
testing, deployed in a number of 
Alcoa warehouse locations. 

"The loading dock work envi- 
ronment is something every 
Alcoa location has," said Jamie 
K. Mackay, manager of environ- 
ment, health and safety re- 
sources at Alcoa. "This [simula- 
tor] is something every one of 
our facilities can use around the 
world. It's a way to get people 
fully immersed in training with- 
out really having to expose them 
to the hazards on the floor." 

START WITH REQUIREMENTS 

Eben Myers is director of virtu- 
al training development at 
Etcetera Edutainment. He's a 
graduate of Carnegie Mellon 
University's entertainment tech- 
nology center, and his company 
is staffed mostly with fellow 
alumni. He said that corporate 
game development is similar in 
practice to standard enterprise 
application development. 

"We start with research," said 
Myers. "That's really about de- 
termining what are the systems, 
the policies, the rules that you're 
trying to represent in the game." 
For Myers' team, that meant 
meeting with the folks at Alcoa 
who design and document safe- 
ty policies. Etcetera initially 
approached Alcoa in what, at the 
time, amounted to a standard 
vendor sales call. Alcoa, howev- 
er, became very interested in the 
concept. It also helped that 
Etcetera had already built seri- 
ous games for other companies 
in the Pittsburgh area, including 



the local gas company 
and children's hospital. 

In the training game, 
three to five workers 
explore the three-dimen- 
sional loading dock of a 
virtual Alcoa warehouse. 
Workers training in this 
environment must pilot 
forklifts, clean up spills, 
inspect equipment and 
generally handle the daily 
tasks and procedures they 
would otherwise perform 
on the job. Of course, 
since this is a game, play- 
ers can also be run over, 
impaled, or dragged off 
by a truck that has decid- 
ed to leave ahead of 
schedule. These are all 
hazards found in every 
loading dock, but in 
Alcoa's game, the repercussions 
of failure are not deadly. 

The topic of serious games 
for business has evolved since 
the Serious Games Summit 
began in 2004. That first such 
summit was held in Washing- 
ton, D.C., and focused almost 
exclusively on military training 
simulations. But while shooting 
and driving were natural topics 
to cover in a game world, other 
military games that surfaced at 
that show sought to teach 
troops more cultural matters. 

Hannes Hogni Vilhjalmsson, 
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Alcoa uses a 3D forklift simulator to train its loading dock workers in safety practices. 



an Icelander working in the 
Information Sciences Institute 
at the University of Southern 
California, for example, built 
the Tactical Language Training 
System. Rather than giving 
players a gun, this game uses 
voice recognition to process 
spoken Arabic questions. Vilh- 
jalmsson categorizes his game 
as a cultural training simulator, 
and the U.S. military has 
already tested the game 
on some of its troops, prior to 
their deployment to Iraq and 
Afghanistan. 



TRAINING GAMES 

Since 2004, the subject of seri- 
ous games has expanded 
through numerous corporate 
training projects. Games, it 
turns out, are an excellent 
medium for training employ- 
ees, and the constantly increas- 
ing processing power of desk- 
top computers has served to 
expand the scope of games. 

Some more experimental 
serious games focus on interper- 
sonal interactions, a perfect fit 
for training customer service 
representatives. One such exper- 



imental game, Facade, 
casts a player as a friend 
who arrives for dinner 
at the apartment of a 
couple in the midst of a 
fight. The goal is to play 
mediator and heal the 
broken couple's emotion- 
al wounds through real 
language discussions and 
body language. 

But while games are 
making their way into the 
corporate world, standard 
practices in most enter- 
prises are likely to commit 
serious games develop- 
ment to outside contrac- 
tors. While this may dis- 
appoint many enterprise 
developers who have 
always dreamed of build- 
ing games, the situation is 
just fine with Myers. 

"We're just at the very 
beginning," said Myers of the 
expansion of games in business. 
"After this Alcoa thing, we've 
gotten cold calls from people 
looking for forklift simulators. 
To have that kind of demand 
showing up without any mar- 
keting is an indicator for us." 
Myers is confident that demand 
for serious games will explode 
sometime in the near future. 
"When it happens," he said, "it's 
going to go from zero to 60 
incredibly fast." I 



Games in the Classroom 



BY GEOFF KOCH 

A Java-based design and exper- 
imentation framework devel- 
oped at Villanova University 
may make game programming 
concepts more accessible to a 
wide variety of college-level 
students. 

The framework, created by 
computer science professor 
Tom Way and his former stu- 
dent Joseph Distasio, addresses 
a nagging issue for the bur- 
geoning numbers of colleges 
and universities experimenting 
with game-focused curricula: 
how to offer classes that chal- 
lenge the most savvy student 
programmers while at the same 
time engaging the enthusiastic 
but inexperienced non-majors. 

In the 1960s, college stu- 
dents had to get their fix of 
rudimentary games like Space- 
war by sneaking time on univer- 



sity-owned time-share comput- 
er systems in the wee hours of 
the morning. Today, those pre- 
PC-era students are graybeards 
with their own college-age chil- 
dren, many of whom are inun- 
dated with options for studying 
computer game design and pro- 
gramming. 

Universities say such courses 
are not only a response to the 
gaming industry's voracious 
demand for new talent, but also 
a way to increase enrollment 
and improve retention in com- 
puter science departments. All 
these would-be game wizards 
with Xboxes stashed in their 
dorm rooms presumably want 
to get started developing the 
next smash-hit first-person 
shooter or sports-themed title 
as soon as they set foot on cam- 
pus. The problem is that much 
game programming instruc- 



tion, which usually assumes 
some knowledge about topics 
such as computer interface 
design, data structures and 
object-oriented design, typical- 
ly is reserved for upper-level or 
capstone courses. 

Way set out to help students 
of all skill levels better grok game 
development. The resulting 
framework, Labyrinth, offers 
students a set of customizable 
modules that together constitute 
a Pac-Man-style game. Some 
modules, such as the one con- 
trolling the graphical user inter- 
face, require some proficiency in 
the Java Abstract Window Tool- 
kit or Swing code. 

In a paper published online 
describing the work (arxiv.org/ftp 
/cs/papers/0609/0609070.pdf), 
Way lists artificial intelligence, 
algorithms and software engi- 
neering among potential class- 



room applications. He writes 
that the modular approach may 
be especially relevant to real- 
word programming scenarios 
such as "supporting and modify- 
ing OPC (Other People's Code), 
designing new functionality that 
must mesh errorlessly with an 
existing system, and collaborat- 
ing with others in making a vari- 
ety of cooperating modifications 
to such an existing system." 
Games are useful in teaching 
programming, according to 
Katrin Becker, a Calgary, Alber- 
ta-based researcher and instruc- 
tor who has been using games 
in introductory programming 
classes at the University of Cal- 
gary since 1999. Becker is 
intrigued by Way's work but 
wonders about tying students to 
one story line and one Java envi- 
ronment. "I like the framework 
but couldn't see it being used 
very often with the same group 
of students," she said. "They'd 
tire of it." I 
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Last Visual Studio 2005 SDK Ships 



BY DAVID WORTHINGTON 

The Visual Studio 2005 SDK is 
eligible for the endangered 
species list. Microsoft has given 
notice that version 4 of the 
Visual Studio SDK, the March 
2007 build, will be the last SDK 



update before it shifts its atten- 
tion to the upcoming Orcas edi- 
tion of Visual Studio. 

According to Microsoft, the 
initial Community Technology 
Preview (CTP) of the Orcas 
SDK will be made available 



soon. It will extend Orcas' fea- 
tures, counterparts and extensi- 
bility points. In the interim, it 
has made some changes to how 
the SDKs are distributed. Mi- 
crosoft shipped SDKs for Visual 
Studio 2005 on a three-month 



"rapid-release" schedule. Each 
build has been packaged as a full 
install that forced the removal of 
the previous version. From ver- 
sion 4 on out, a browser entry 
point called "Quickstart" will 
eliminate repeat installations of 
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tutorials. Microsoft will dissemi- 
nate the latest news, documenta- 
tion and code samples via RSS 
feeds and the SDK browser. 
Updates will surface within the 
SDK through the feeds. 

Some user ^^^^^^^^™ 
interaction is FINALLY, 
required: New 
code samples 
that are cata- 
loged in the feeds must be 
installed as packages. As the 
SDK evolves, an automatic 
update feature will push the lat- 
est samples and tools to the user. 

SDK content published on- 
line is not included in the offline 
library Microsoft distributes to 
Microsoft Developer Network 
subscribers. MSDN subscribers 
will continue to receive CTP 
builds of the Orcas SDK on a 
rapid-release schedule until it is 
released to manufacturing. 

The SDK's components are 
evolving as well. Version 4 
introduces a package load ana- 
lyzer that provides diagnostic 
information about how exten- 
sions are loaded into the IDE. 
A control toolbox installer for 
end users to install components 
into the toolbox is also bundled 
with the release. 

NO REGISTRATION REQUIRED 

Microsoft's convention about 
who should have access to the 
SDK has also evolved. The Visu- 
al Studio team is making it easi- 
er for developers to obtain the 
SDK in the first place: Registra- 
tion is no longer required, and it 
is available as a free download at 
the MSDN Web site. 

Rob Brigham, group manager 
for the Visual Studio Tool Eco- 
system team, said access to the 
SDK has been relaxed on the 
notion that it will encourage non- 
commercial users, and open and 
shared source projects, to join 
the Visual Studio "community." 

Users unfamiliar with the 
SDK can turn to new self-paced 
tutorials to get started. These 
tutorials explain how to build 
packages and tool windows as 
well as understand basic com- 
mands. Brigham acknowledged 
that the kit has a "large surface 
area," and hopes that the tutorials 
will make integration with Visual 
Studio a more approachable task. 

In a related move, Microsoft 
launched the Beginner Devel- 
oper Learning Center, a Web 
site geared toward novice pro- 
grammers using Visual Studio 
2005 Express. I 
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Vitria Performs SOA 'Mass Repair' 



BY DAVID WORTHINGTON 

After nearly two years of 
research and development and 
a recent change in ownership, 
Vitria in March released a new 
version of its Resolution Accel- 
erator for SOA exception man- 
agement. Resolution Accelera- 
tor addresses exceptions at the 
system, service, process and 
business levels with new facili- 
ties for analysis and repair. 

SOA exceptions can have cat- 
astrophic consequences that 
affect business operations and 
diminish profit, stinging the 
hardest when companies rely 
heavily on information systems. 
Telecommunications is one 
example where carriers must 
automate processes to get the 
most out of subscriber revenues. 
When there are business excep- 
tions, customers are dissatisfied 
and churn — with its associated 
costs — increases. 

Vitria Positions 
SOA Integration 
In Suite Spot 

BY DAVID WORTHINGTON 

Vitria Business Accelerator, an 
Eclipse-based, stack-agnostic 
SOA integration suite, shipped 
on March 19. Users can choose 
the components they want to 
have in their application stack, 
define and manage business 
processes, and deploy into dif- 
ferent environments. 

Business Accelerators fed- 
eration and mediation capabili- 
ties allow the users to design 
and model once, then deploy. 
Systems appear as a unified 
environment inside of the 
process designer. Customers 
can use Business Accelerator 
with Java EE application severs 
and messaging platforms from 
Red Hat, AmberPoint, IBM 
and i-Way, among others. 

The mediation layer process- 
es requests so that dissimilar sys- 
tems can communicate. Busi- 
ness Accelerator provides a 
service interface for disparate 
systems that makes many envi- 
ronments appear as one, and 
offers policy-based management 
and control. Business Accelera- 
tor ESB Edition is designed for 
smaller projects, while Business 
Accelerator Process Edition 
expands into a full process inte- 
gration suite. I 



Resolution Accelerators new 
visual dashboards monitor 
exceptions and exception history 
in real time using proprietary 
"sensors" that analyze log files 
and audit trials. Customers may 



also build their own sensors. 
Exceptions can be defined in 
business process rule reposito- 
ries. The exception resolution 
processes is audited and logged 
at every step. 



Resolution Accelerator also 
includes a new "mass repair" 
faculty that detects the root 
cause of an exception and 
applies the same resolution 
technique to multiple instances 



of the same exception. A rules- 
based metadata- driven dictio- 
nary guides users through clas- 
sifying and routing exceptions 
through resolution. 

Resolution Accelerator runs 
on top of Vitria s Business Accel- 
erator and is interoperable with 
SOA stacks from AmberPoint, 
IBM, iWay and Red Hat. I 
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Rally Takes Agile Into ALM With Platform Update 

Latest version of project software ties in third-party tools 



BY DAVID RUBINSTEIN 

What Salesforce.com has done 
for CRM, Rally Software wants 
to do for ALM. 

With the release of Rally 
2007.2, the agile project man- 
agement platform features new 
integration capabilities for con- 
necting third-party tools, and 
puts the company squarely in 
the middle of the on-demand 
ALM space. "Rally had been a 
workgroup application, and 
now it's an enterprise applica- 
tion," said Rally founder and 
CTO Ryan Martens. "We're 
building a collaborative hub" 
that lets development team 



members work together in an 
agile fashion, he added. 

One of the issues holding 
back the adoption of agile 
processes in large enterprises 
was the notion that the projects 
could only be managed in a 
workgroup fashion; there was no 
scalable way to do collaboration. 
Rally has created a platform with 
new Web services APIs, connec- 
tors and tabs to bring together 
SCM and CRM tools, as well as 
project plans, bug- trackers 
and development environments. 
Another agile project manage- 
ment company, VersionOne, also 
has created an enterprise plat- 



form that ties in IDEs, defect 
trackers and the like. 

Also new to the platform is 
an MPX file export capability 
that lets users see the status of 
projects managed in Microsoft 
Project. 

The notion of mashing up 
role-based tools gives develop- 
ers the ability to go from the 
development context to the 
business context, where they 
can see feedback from business 
users, partners and other team 
members, according to Zach 
Nies, vice president of product 
development. 

The future of ALM, said 



Forrester senior analyst Carey 
Schwaber, is one in which 
customers pay only for features 
they need, and where common 
services are available to any 
role-based tool via a neutral 
repository. Rally Enterprise, 
the edition of the platform best 
suited for enterprisewide agile 
development, costs US$85 per 
user per month and is available 
both on-demand and on- 
premise. 

In addition to the new fea- 
ture sets, success with agile 
development comes from train- 
ing, coaching and the commu- 
nity, Nies said. To that end, Ral- 



ly has created Agile University, 
a Web site where developers 
can register for courses in agile 
development. It also was to 
launch at the end of March 
Agile Commons, an interactive 
site featuring blogs and wikis 
that developers can use to share 
experiences, techniques and 
other information. 

"We look like a new breed of 
software company," Martens 
said, "with a set of interfaces 
woven through everything 
we're doing. We can take our 
data and other services and 
combine them in a context 
that's relevant to developers." I 



Leaving Sci-Fi for a Different Network 



One-time prodigy 
is chief architect 
for tools company 

BY GEOFF KOCH 

Sometime in the not-too-distant 
future, ScriptLogic will release 
several next-generation versions 
of its various network adminis- 
tration tools. It's hardly out of the 
ordinary that the code will have 
been shepherded through devel- 
opment and testing by the Boca 
Raton, Fla.-based company's 
chief software architect, Brian 
Bucklew But what may be sur- 
prising are the 27-year-old Buck- 
lew's credentials: a long history 
of obsessive tinkering with code, 
an abiding love of science fiction 
and computing games, and when 
it comes to education, a high 
school diploma. 

The history of computing is 
rife with tales of college dropouts 
who make good, from Bill Gates 
to Larry Ellison to Steve Jobs. 
But it's an archetype that's begin- 
ning to feel somewhat antiquat- 
ed as professionalization creeps 
into every nook and cranny of 
technology, including the for- 
merly anarchic world of gaming. 
Universities used to scowl at the 
use of their precious computing 
resources by the gaming crowd, 
while today those same campus- 
es scramble to put in place seri- 
ous undergraduate and graduate 
degree programs in game devel- 
opment and design. 

Certainly the problems that 
ScriptLogic solves, including 




how to eliminate network ad- 
ministration errors and better 
manage system updates, have 
long been the province of pros 
with staid training in such areas 
as systems engineering and 
computer science. That Buck- 
lew thrives in a world of degree- 
holding suits — he has long hair 
and says he wears shorts to work 
most days — seems due in equal 
measure to his quirky personal 
history and undeniable pro- 
gramming chops. 

Growing up in the 1980s in 
space-crazy Plantation, Fla., 
Bucklew at first was convinced 
he wanted to be an aerospace 
engineer. Though Plantation is 
close enough to Cape Canaveral 
to be able to see Space Shuttle 
launches when conditions are 
right, Bucklew was influenced 
less by NASA than by science 
fiction novels such as "Hyperion" 
by Dan Simmons and "Ender's 



Game" by Orson Scott Card. 

While still in his teens, 
he decided he wanted to build 
sci-fi-inspired games, not those 
of the simple tic-tac-toe variety. 
It was what he saw on screens at 
the local arcade that intrigued 
him. So while his contempo- 
raries were home watching tele- 
vision shows like "Beverly Hills, 
90210" and "Doogie Howser, 
M.D.," Bucklew would spend 
hours programming on his 286- 
based PC in QuickBASIC or 
ANSI C, trying to build space- 
ships that would fly across the 
computer screen. Invariably he 
found himself in way over his 
head and would end up abandon- 
ing the project, though not until 
he had learned all there was to 
know about a particular pro- 
gramming problem. 

"I must have had hundreds of 
incomplete projects in my 
youth," he said. "Even today I 



think it's important to overreach 
when learning anything new. Not 
by so far that you get discour- 
aged, but enough that you get a 
pretty thorough and deep 
grounding in the topic you are 
working on." 

IBM TAKES NOTICE 

Bucklew's obsessions at the key- 
board attracted the attention of a 
neighbor, who happened to be a 
senior manager at IBM. At the 
time Big Blue was still working 
on its OS/2 Warp operating sys- 
tem in Florida, and the neighbor 
offered the 14-year-old Bucklew 
a summer internship working 
on the project. The only problem 
was that Bucklew didn't fit 
into typical intern categories, so 
he was brought in under an 
IBM program for underserved 
minorities — teenagers apparent- 
ly being an underserved crowd. 
His performance was so good 



that when IBM moved its OS/2 
team to Texas soon after his 
internship ended, Bucklew was 
offered a full-time job. As a high 
school student still a few years 
from graduation, he had to turn 
it down, but by then the pro- 
gramming bug had bitten him. 

When later he was given an 
opportunity to leave Florida 
Atlantic University to work for a 
company on speech-recognition 
technology, he promptly quit 
classes. And when that first job 
fell through after only a short 
time, he didn't beg for readmis- 
sion to FAU. Rather, still only 17, 
he took a second job at a compa- 
ny working on flight-tracking 
software. Soon thereafter he 
jumped again, this time to the 
predecessor of ScriptLogic. 

Ten years later, Bucklew finds 
himself nominally in charge of a 
global network of developers 
working from two Florida loca- 
tions, New Zealand and Russia. 

Bucklew is mum on specifics 
as to what's coming for Script- 
Logic, but said he remains heav- 
ily involved in all aspects of 
application development, espe- 
cially when it comes to the inter- 
action of all the existing and new 
components. He speaks freely, 
though, when it comes to advice 
to others seeking to plot their 
course on a coding landscape 
that continually seems to get 
more complex. 

"Keep exploring and learn- 
ing, even and especially outside 
of programming; you'd be sur- 
prised at the connections your 
mind makes when you really 
delve into a topic like music or 
even history," he said. "I really 
believe that any learning makes 
all learning easier." I 
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Oracle Donates Its TopLink Engine 

New projects, tools and plug-ins highlight EclipseCon 2007 gathering 



BY ALEX HANDY 

SANTA CLARA — Oracle s decision to 
contribute its TopLink persistence 
engine to the Eclipse community was 
among the more significant 
events at the recent Eclipse- 
Con 2007 show here. The 
news comes alongside the 
announcement that Oracle would be 
stepping up its role in the community by 
becoming a board-level member of the 
foundation for the first time. 

Dennis Leung, vice president of soft- 
ware development in Oracle's Fusion 
middleware group, is the company's new 
representative on the Eclipse Founda- 
tion board. He sees the TopLink dona- 
tion as a potential pivot point for the 
open source IDE as a whole. "TopLink 
offers a significant commercial quality 
runtime to the Eclipse community," said 
Leung, adding that most other projects 
at Eclipse are either tools or plug-ins. 
"It's a new direction." 

Brent Williams, a former Gartner 
researcher who labeled himself at 
EclipseCon as a temporarily indepen- 
dent analyst, said that Oracle's decision 
to step up its commitments to Eclipse is 
an excellent move for a company that 



SDTimes 



has previously had a strained relation- 
ship with the open source community. 

"Top management [around the indus- 
try] still doesn't understand the econom- 
ics of the software business," 
said Williams, discussing past 
| open source moves made by 
Oracle. "Hurting open source 
is not going to work. It's too late for that. 
You have to be much more cautious 
about the effects of blowback, because it 
will get you. Oracle announced that they 
are going to donate TopLink and build 
test harnesses [for Eclipse]. That's a good 
move. The problem is — and [Oracle's] 
been schooled enough on this already — 
all these moves [against Red Hat and 
MySQL] overshadow the goodness that's 
available from this move they an- 
nounced." 

FROM THE SHOW FLOOR 

Of course, many other companies an- 
nounced new projects and products for 
the Eclipse community at EclipseCon. 
AvantSoft was on hand to offer up its 
Eclipse training classes. Among those 
classes is the company's popular RCP 
training course, which cuts the difficult, 
yet powerful Eclipse RCP environment 
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down to a manageable size. 
Actuate showed off the 
work it has done to extend 
and enhance Eclipse's 
Business Intelligence and 
Reporting Tools project. 
Actuate offers BIRT add- 
ons, such as a Web-based 
portal for building BIRT- 
based reports, and an inter- 
active viewer that allows 
reports to be dynamically 
visualized inside Web 
browsers. 




In the total package 
realm, Genuitec showed 
off its next version of My- 
Eclipse Enterprise Work- 
shop, version 5.5, which 
should be out later this 
year. That forthcoming 
edition is said to add sup- 
port for Spring 2.0, as well 
as a host of new RCP tools. 
Genuitec also announced 
a new initiative to sell 
its Eclipse distribution in 
Japan, with the aid of 



For developers looking Oracle's Dennis Leung is now a Hitachi, 
to analyze data, Business board member of the Eclipse Source code search 



Objects offered up its latest Foundation. 

version of Crystal Reports 
for Eclipse. The company also presented 
talks on such topics as plugging Crystal 
Reports into existing POJOs (Plain Old 
Java Objects), and routing the resulting 
information into a Web-viewable format. 
On the source code management 
side of Eclipse, CollabNet showed off 
some of the ways its new community site 
can help developers better integrate 
Eclipse and Subversion. Open.collab 
.net offers a Web portal for developers 
who wish to teach Subversion new 
tricks. The site offers best practices, 
documentation, training classes, and 
plug-ins for Eclipse and other IDEs. 



engine company Krugle 
was on hand to announce 
the release of its Eclipse plug-in, which 
allows developers to search through mil- 
lions of lines of indexed Web-available 
code from inside Eclipse. 

Finally, Instantiations showed 
attendees its new WindowTester Pro 
product. This automated GUI testing 
tool offers test reuse and compatibility 
with JUnit. Instantiations also showed 
off RCP Developer, which is now at ver- 
sion 3.0. This rich client development 
environment is based on Eclipse, but 
adds GUI design and testing tools to 
help simplify the process of building 
client-side applications. I 



IBM Pushes Linux Desktops 



BY ALEX HANDY 

IBM is using its employees as desktop 
Linux guinea pigs. All of IBM's 330,000 
employees can now choose to run SUSE 
or Red Hat Linux on their desktop com- 
puters, and the company is claiming that 
5 percent to 6 percent of its workforce 
has already switched, predominantly 
from Windows. 

IBM is using this internal deploy- 
ment as a way to increase its knowledge 
base around the installation and sup- 
port of Linux desktops in enterprise 
environments. 

IBM's internal push for Linux on the 
desktop is mirrored by a year-old external 
foray into the same domain. In 2006, the 
company began its first test installations of 
desktop Linux within its customers' 
offices, and has since spread the program 
to include more than 100 client business- 
es. IBM's Linux installation initiatives 
have been a trial by fire for the company's 
workers, who are all getting a crash course 
in supporting the operating system. 

Antony Satyadas, chief competitive 
marketing officer of IBM's software 
group, said that his company is building 
up the knowledge necessary to offer its 
customers full-time support and services 



for Linux throughout their companies. 

"It is a mixture of different distribu- 
tions," said Satyadas, speaking of the two 
Linux distributions favored by IBM. 
"There are some organizations that have 
adopted it fully. Then there are many 
who are looking at a more heteroge- 
neous environment. If you take a com- 
pany with 80,000 employees, maybe 
their plan is to take 20,000 to Linux. But 
that doesn't mean you stop there. I think 
there is a domino effect." 

But those dominoes don't fall easily, 
according to Bernard Golden, CEO of 
Navica. He wrote the Addison-Wesley 
book "Succeeding With Open Source," 
and said that the barrier to entry for Lin- 
ux on enterprise desktops is commitment. 

Golden said that retraining staff to 
use Linux, or any other operating sys- 
tem, costs time and money. "You pay off 
that right away and realize the benefits 
down the road. You say, 'Let's take all the 
pain right now,' " said Golden. 

Golden said that though IBM is fight- 
ing an uphill battle, it is also learning 
tactics in the best possible way. "It'll give 
them the credibility to say to other 
enterprises, 'You should consider doing 
this. We've done it,' " he said. I 
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EdenTree Branches Out With Configuration Manager 



BY JEFF FEINMAN 

EdenTree, a San Jose-based lab 
management solution company, 
in early March released Config- 
uration Manager, an application 
designed to reduce problems of 
server configuration complexity 
in software test labs through 
automated reconfiguration. 

EdenTree's Configuration 
Manager allows software devel- 
opment teams to automate the 
setup, archiving and restoration 
of Linux, Unix or Windows com- 
puters in significantly less time 
than it would take for manual 
reconfiguring. The basic compo- 
nents of Configuration Manager 
are a storage device for image 
archives, a SAN or LAN switch 
that connects to each of the man- 
aged servers, and a user-provid- 
ed network. Developers can save 
configurations to the storage 
device via the GUI or the script. 
The company claims that the 
product can reconfigure a lab in 
roughly 15 minutes to an hour. 

Configuration Manager also 
offers integration capabilities 
with EdenTree's Lab Manager, a 
platform for managing and 
scheduling connectivity of 
test equipment and network 
devices in labs. EdenTree offi- 
cials pointed out that both prod- 
ucts use the same client user 
interface, which makes the new 
product easier to use for devel- 
opers familiar with EdenTree's 
flagship product. 

MORE TIME, MORE TESTS 

"First and foremost, the biggest 
factor is that it is time-saving," 
said Roberta Gonzalez, vice pres- 
ident of marketing for EdenTree. 
"With the time saved, the 
amount of tests that can be per- 
formed increases. Software 
developers can easily capture and 
restore complex configurations to 
recreate the environment they 
need for testing or defect resolu- 
tions, whatever they need to do." 

EdenTree positions Configu- 
ration Manager as an operating 
system-independent, transpar- 
ent and programmatically acces- 
sible tool. Configuration is trans- 
parent, which results in devices 
that are identical to deployed 
systems. The programmatic 
interface of Configuration Man- 
ager allows automated configu- 
ration of devices and integration 
of physical topologies into auto- 
mated test procedures. 

Art Beall, CTO and co- 
founder of Fl Interop Solutions, 



said that Configuration Manager 
has helped his company in low- 
ering costs. Fl Interop Solutions 
is a Piano, Texas-based company 
that specializes in interoperabili- 
ty, solution and conformance 



testing. The company, which was 
the first customer to obtain the 
product from EdenTree, has 
used Configuration Manager for 
nearly seven months. "It increas- 
es speed for our testing cycles, so 



since we can change up our 
servers, we can get things done 
that initially we couldn't do," he 
said. "What might have taken a 
full day will now only take 10 to 
15 minutes of work." 



EdenTree was formed in 
May 2002, with the goal of 
automating network labs. In 
addition to San Jose, the com- 
pany has offices in Boston, 
Chicago and Piano. I 
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Netuitive Takes Action on VM Management 



BY P.J. CONNOLLY 

Netuitive jumps into the boom- 
ing field of virtualization with 
the April 2 release of its perfor- 
mance management tools for 
EMC's VMware ESX. But the 
company has aimed much high- 
er than simply collecting statis- 
tics and reporting them after 
the fact: Netuitive's SI for 
VMware attempts to make vir- 
tual machine management a 
proactive discipline instead of a 
reactive one. 

SI for VMware works by 
learning the normal operating 
behavior of ESX hosts, their 
guest VMs, and applications 
running within each VM, build- 
ing what Netuitive calls an 
"adaptive behavior profile." 
This allows a complete view of 
the entire resource pool, a nec- 
essary requirement for grid or 
utility computing, with what the 
company claims is up to two 
hours' notice of performance 
degradation. Badly behaving 
VMs can be identified and iso- 
lated, improving overall perfor- 
mance of the ESX server. 

Like Netuitive Service Ana- 
lyzer, SI for VMware is built on 
the company's real-time analy- 
sis engine, which uses multi- 
variable correlation and statisti- 
cal trends analysis to perform 
its forecasting. 

Daniel Heimlich, vice pres- 
ident of marketing for Netu- 
itive, observed that the new 
tools were a logical extension 
of the company's technology in 
the increasingly important area 
of virtualization. "Our focus 
has been in... next-generation 
business service management 
solutions, specifically the idea 
of being able to monitor and 
understand [the] performance, 
in real time, of applications 
and services." The objective, 
he noted, was "being able to 
cross-correlate the behavior 
patterns of those individual 
systems with the overall ser- 
vices that they represent, so 
that you... get an end-to-end 
view of what we call 'service 
health.'" 

SERVING UP AN ACE 

Meanwhile, VMware an- 
nounced the public beta of 
VMware ACE 2 Enterprise, its 
newest tool for building, man- 
aging and deploying desktop 
PC images as virtual machines. 
The ACE update offers the 
"Pocket ACE" feature that 



allows the deployment of desk- 
top VMs via portable rewritable 
media such as an iPod or other 
USB flash drive. 

ACE 2 Enterprise also 
includes a new ACE Manage- 



ment Server, in the form of a 
preinstalled, preconfigured vir- 
tual appliance. IT administra- 
tors can use VMware Worksta- 
tion 6 to create and securely 
package ACE virtual machines 



for end-user deployment. ACE 
VMs can be managed while in 
use by IT staff; end users retain 
access to system features out- 
side of the VM. 

The ACE 2 Enterprise beta 



adds Windows Vista to the list of 
supported operating systems, 
where it joins previous Windows 
versions as well as Mandriva, 
Red Hat, SUSE and Ubuntu 
Linux. It also adds support for 
USB 2.0, and virtual machine 
sizes up to 8GB. VMware 
expects to release ACE 2 Enter- 
prise around midyear. I 
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Embarcadero Joins Business Modeling Parade 



BY P.J. CONNOLLY 

Embarcadero Technologies 
boarded the business modeling 
bandwagon in mid-March with 
the launch of a new lightweight 
tool aimed at bringing business 
modeling to the masses. EA/Stu- 



dio offers its users a conceptual 
approach to modeling that is 
based on BPMN (Business 
Process Modeling Notation), 
and can use data created with 
Microsoft Excel and Visio. 

EA/Studio also works with 



Embarcadero's established 
ER/Studio tools for data model- 
ing, using EA/Studio's concep- 
tual data models to build 
logical and physical models in 
ER/Studio. The new tool set is 
designed for business users and 



data modelers; the company s 
plans include EA/Studio editions 
targeted at data modelers and 
SOA architects to be released 
between now and the end of 
2008. An "enterprise architect" 
edition will provide a superset of 
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EASY to USE 

ActiveReports features an easy-to-use, banded, fully integrated report designer with built- 
in wizards, integrated toolbars, report explorer window, print preview with bookmarks, 
text search and thumbnails, a full-featured chart control, and a detailed help file. With 
ActiveReports, it is easy to create the kinds of reports you need-from the most basic to the 
most complicated reports. 

EASY to LICENSE 

Licensing with ActiveReports for .NET is straightforward and easy to understand. There 
are no hidden costs, no extra licensing fees and no royalties charged for end users. Once 
you install the product after purchase, you are free to create and deploy your reports as 
needed. 

EASY to DEPLOY 

ActiveReports makes deploying your reports and end-user reporting capabilities easy. The 
reporting engine is provided as a single managed, strongnamed assembly. ActiveReports 
allows assemblies to be distributed using XCopy or placed in the Global Assembly Cache 
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the targeted editions; by late 
2008, the product should include 
a broad range of notations, 
ontologies and taxonomies. 

Donna Burbank, Embarca- 
dero's director of enterprise 
modeling and architecture, ex- 
plained that the roles and respon- 
sibilities of business modelers 
have grown in recent years and 
the company's ER/Studio cus- 
tomers "need to broaden out." 

MIDDLE GROUND 

According to Burbank, users 
were pleading, "Help us link our 
data with our process, and show 
how it relates to the organiza- 
tion." Although the company's 
first reaction was to go for a com- 
plete, overarching solution, the 
customers wanted something 
less ambitious, and less pricey 
Burbank explained that when 
Embarcadero took the plans for a 
super-solution to its user group, 
the group's reaction was, "Whoa." 

The result was EA/Studio 1.0, 
which is being positioned as a 
middle ground between Visio- 
like drawing tools and big-ticket 
enterprise architecture packages 
such as those from IDS Scheer or 
Telelogic. Embarcadero's meth- 
od starts with the data, and then 
wraps process and organization 
layers, embracing business arti- 
facts, concept and process mod- 
eling, and the relationships 
between them, in a way that 
allows for sensible integration. 

The business process model- 
ing in EA/Studio lets users vali- 
date process diagrams for BPMN 
compliance, preventing the in- 
troduction of modeling elements 
that don't comply. EA/Studio's 
ability to include both embedda- 
ble collapsible subprocesses and 
independent subprocesses in a 
process model gives users a tool 
that offers comprehensiveness, 
flexibility and usability. 

EA/Studio offers CRUD- 
style usage reporting, identifying 
the processes that create, read, 
update and delete data. Report 
filtering allows isolating by ob- 
ject or process type, letting users 
address specific requirements, 
linking processes to data. 

Business artifact modeling in 
EA/Studio addresses general 
concerns with broad data storage 
constructs for representing data- 
bases, file systems or other 
schemes; business terms that de- 
fine naming standards and sup- 
port logical data models are iden- 
tified and appropriate rules are 
developed by user modelers. I 
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At Last, Visual Studio 2005 Works on Vista 



BY DAVID WORTHINGTON 

The Visual Studio product team 
had a decision to make last fall as 
Windows Vista progressed to- 
ward release: It could either ship 
a first service pack for Visual Stu- 
dio 2005 that worked on the 
then-current versions of Win- 
dows, or wait for Vista. If it wait- 
ed, there would be no compati- 
ble version of Visual Studio 
ready when Vista launched. 
Since a delay wasn't acceptable 
to the team, the service pack was 
made available in December 
2006. Vista was unveiled one 
month later, but Visual Studio 
2005 was not certified to work 
with the operating system. 

Since that time, Microsoft 
has caught up with itself. Visual 
Studio 2005 Service Pack 1 for 
Windows Vista arrived in 
March. Earlier versions of Visu- 
al Studio cannot run on Vista. 

Tony Goodhew, a product 
manager in the developer divi- 
sion at Microsoft, explained 
that changes to the foundations 
of Windows made Visual Studio 
incompatible with Windows 
Vista. "We got it out the door as 
quickly as we could, put aside 
the Vista work to occur after- 
wards, and then began to work 
on getting it to work nicely on 
Vista," he said. 

"Visual Studio does a lot of 
what malicious code would do," 
Goodhew said, alluding to its 
higher-level processes. 

According to Goodhew, 
Visual Studio 2005's ability to 
run on Vista was hampered by 
changes in the operating sys- 
tem's networking stack, graph- 
ics model and the inclusion of 
User Account Control. 

The service pack's develop- 
ment is bracketed by Micro- 
soft's desire to usher customers 
onto the Orcas edition of Visual 
Studio. No new features were 
added — just compatibility up- 
dates to make Visual Studio 
current with Vista. 

Orcas is the next generation 
of Visual Studio and is slated for 
release by the end of 2007. It is 
Microsoft's preferred IDE for 
building Windows Vista and 
Office 2007 "ribbon" interface 
style applications. 

Yankee Group analyst Laura 
DiDio predicted that develop- 
ers will be very challenged to 
develop leading-edge .NET 
and Vista applications if Orcas 
is delayed. "Microsoft's top tier 
of customers could ask Micro- 



soft for extensions to APIs for 
specialized applications as an 
exception. For ranks and files, 
[a delay] could be a little prob- 
lematic, depending on the 
functionality that they want. I 



would want to be working with 
the latest and greatest code, so 
I would be on the phone with 
Microsoft myself." 

Microsoft continues to en- 
hance its Web development 



(Language Integrated Query); 
and can target multiple versions 
of the .NET Framework during 
application development, 
capabilities. Orcas is swimming Other highlights of the next 



with enhanced HTML, CSS 
designer and JavaScript support; 
integrated AJAX support; 
expanded data query and manip- 
ulation capabilities with LINQ 



Visual Studio release will be 
SharePoint extensions and an 
updated version of the .NET 
3.0 Framework that will be 
built in as version 3.5. I 
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Java: The Language of Security 



Fortify report claims that software written in Java is most secure 



BY JEFF FEINMAN 

Software components written 
in Java are more secure than 
components written in other 
languages such as C, C++ or 
PHP, according to a report from 
Fortify Software. 

The report was released 
through Fortify's Java Open 
Review Project, a free initiative 
to help open source developers 
detect security vulnerabilities 
and bugs. The report states 
that on average, only .07 secu- 
rity and quality defects were 
found for every thousand lines 
of code in a review of multiple 
open source projects written in 
Java. By contrast, according to 
the report, non-Java based soft- 
ware being developed contains 
20 to 30 security and quality 
defects for every thousand 
lines of code written. 

Fortify claims that Java is 
the safest way of writing 
because of its conservative 
architecture, which doesn't 
lend itself to memory vulnera- 
bilities, such as buffer over- 
flows. The Java memory man- 



ager ensures that parameters 
that are going into random 
access memory operations are 
in check, according to the com- 
pany. Using a garbage collector 
to reclaim memory occupied by 
inaccessible objects can help to 
prevent such vulnerabilities. 

"It kind of stops you from 
doing stupid mistakes," said Bar- 
mak Meftah, vice president of 
products and services for Fortify. 
"C and C++ are fairly open lan- 
guages, and so they're very non- 
conservative in their approach to 
garbage collection and memory 
management. The majority of 
developers don't necessarily 
think of security when they code, 
and so Java does a really good job 
of ensuring that you don't make 
mistakes." 

However, analyst Jon Rymer 
of Forrester Research said he is 
not convinced that evaluating 
security-related features of lan- 
guages is very useful. "I don't 
believe it's reasonable to say that 
any language is inherently more 
secure than any other language," 
he said. "Languages are just 



products, and so subject to 
human error in their application. 
The last five or so years of 
hacker attacks, I think, say pri- 
marily that the various vulnera- 
bilities of runtime environ- 
ments — Web servers, databases, 
e-mail servers, desktop apps — 
are the real problems." 

Meftah, meanwhile, said 
that developers need to be held 
more accountable for keeping 
security in mind when writing 
code. He said that one software 
corporation that has adopted 
this approach is Microsoft with 



Trustworthy Computing, a 
memo sent out through the 
company in 2002 calling for 
more secure products. 

"Bill Gates basically sent 
out a mandate to all the devel- 
opers of the company saying, 
'Listen, you're going to be edu- 
cated on issues of security, and 
any vulnerabilities that are 
found in a piece of code that 
you write are not going to be 
tolerated at all,' " Meftah said. 

Fortify is on the front lines 
of Java code analysis: The Java 
Open Review Project runs 



FindBugs, an open source pro- 
ject that uses static analysis to 
inspect Java code, and Fortify 
Source Code Analysis (SCA) 
against code to determine vul- 
nerabilities. The Java Open 
Review Project reviewed Java 
software packages including 
JBoss' query service Hibernate 
and the Spring Framework. 
The Apache Foundation's 
Struts, which is used in devel- 
oping Java EE Web applica- 
tions, and Tomcat, which 
implements Java Servlet and 
JavaServer Pages, were also 
reviewed. Those Java packages 
are used widely by software 
developers in the creation of 
applications, according to 
Meftah. I 



FORTIFY PLAYS DEFENDER FOR .NET APPLICATIONS 



BY JEFF FEINMAN 

Fortify Software extended its 
Fortify Defender solution in 
mid- March for applications writ- 
ten in .NET Defender monitors 
functions and APIs inside Web 
applications. Fortify officials said 
this offering is an ideal solution 
to monitor and protect .NET 
applications at deployment. 

Fortify Defender offers 
compliance with Payment Card 



Industry (PCI) standards, which 
state that any Web-based appli- 
cation that deals with credit 
cards must be put through an 
appropriate source code audit, 
or the company must install a 
firewall. The PCI standards 
must be met by June 2008. 

The offering also provides 
attack forensics, which note the 
date and type of attacks on an 
application. 



Barmak Meftah, vice presi- 
dent of products and services 
for Fortify, said the company 
can now offer solutions catering 
to applications built with Java 
and .NET "The majority of 
Web applications today are now 
either built with Java or .NET, 
so we feel that having the prod- 
uct work on those two plat- 
forms covers a whole bunch of 
Web applications out there." I 
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Telelogic Opening DOORS For 
Business Software Projects 

Plan is to put requirements on Fastrak 



BY JEFF FEINMAN 

Looking to provide more requirements 
management capabilities for develop- 
ers, Telelogic announced on March 20 
the debut of DOORS Fastrak. 

In contrast with Telelogic DOORS, 
which is more suited to long-term engi- 
neering projects such as aircraft or tele- 
com system design, the company says 
DOORS Fastrak is ideal for business 
software projects, including inventory 
systems, payroll management or the 
development of Web sites. Telelogic is 
offering DOORS Fastrak as a conven- 
tional software package, or through its 
SaaS (software-as-a-service) portal. 

"It's much faster, the development 
is much faster, and that's the key 
thing," said Paul Raymond, vice presi- 
dent of marketing for Telelogic. "With 
the engineering projects, because they 
last so long, they have a very large 
requirement development phase. With 
these fast-paced projects, they start out 
with some of the needs of the cus- 
tomer, and they'll provide a quick first 
version, a prototype, and they'll take 
feedback from the customer. Then 
they'll go back and do another iteration 
to get to a solution. You can't do that on 



these large engineering projects." 

One of the main features of the 
offering is automatic version control, 
which automates impacts of change. 
Raymond said that automatic version 
control is possible in DOORS Fastrak 
because the impact of change in busi- 
ness software projects is less than in 
engineering projects. 

Raymond said that "out-of-the-box" 
automated workflow and step-by-step 
guidance meet the needs of developers 
working on smaller business software 
projects. DOORS Fastrak presents 
customers with Web-based access to 
requirements, and allows them to mon- 
itor related actions. 

"With these fast-paced business 
software projects, usually it's collocat- 
ed teams that are working together in 
a rapid sense," Raymond said. 
"DOORS Fastrak provides the ability 
for a stakeholder to get involved. It 
provides a process where you don't 
have to write large volumes of require- 
ments. The features of DOORS Fas- 
trak are particularly honed to the char- 
acteristics of these fast-paced projects, 
rather than the large and lengthy engi- 
neering projects." I 



Shift Seen in Security Market 



< continued from page 1 

the relatively small size of the market for 
such tools. 

"Viewed charitably, the Fortify/ 
Secure Software deal could be seen as 
just another Darwinian market event: 
One strong competitor overtakes anoth- 
er," wrote Jaquith. "However, Yankee 
Group believes the deal marks a turning 
point. Fundamentally, Secure Soft- 
ware's fortune underscores the compet- 
itive difficulties faced by nearly all par- 
ticipants in the code assurance market, 
which is less than $30 million in size. 
The deal suggests that we are witness- 
ing the beginning of the end of the 
standalone market." 

With so little money in the market- 
place for secure coding solutions, 
Jaquith wrote, the consolidation of 
Secure Software and Fortify could por- 
tend a coming consolidation in the 
space, as clients become scarce. There is 
one thing, however, that Jaquith expects 
could spur growth in the code security 
scanning market: legislation. 

"Regulation and the related fear of 
jail time are the most compelling dri- 
vers of security product purchases, with 
contractual obligations being a close 



second," wrote Jaquith. "In contrast, 
well-meaning enterprise security poli- 
cies that mandate secure development 
practices are much less compelling. 
Until regulators or a strong industry 
body such as the payment card industry 
force enterprises to use code scanning 
tools, they will take a back seat — cor- 
rectly — to other initiatives." 

Now that the dust has settled on the 
acquisition, Jaquith credits Fortify with 
cementing its position as the market 
leader in code assurance scanning. That 
company has also created its own open 
source project, Find Bugs, in order to 
expand its appeal, but Jaquith did not 
see this as a market-changing strategy. 
Indeed, he sees the entire code scanning 
market as destined for a diversified 
future, not a specialized one. 

"The market is too small to sustain 
specialist vendors whose products do 
only one thing: statically analyze core 
code libraries for bugs," wrote Jaquith. 
"With apologies to Isaiah Berlin and 
Archilochus, Secure Software wanted to 
be a 'hedgehog' — an animal that knows 
only one thing. But the market has 
shown that it wants 'foxes' — such as For- 
tify — who know many things." I 
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Sun Updates Java 
Enterprise System 



BY ALEX HANDY 

Sun Microsystems updated Java Enter- 
prise System to version 5.0 in early 
March, bringing a more modular 
approach to the Java application stack, 
and allowing developers to pick and 
choose the various versions of software 
they desire at each level. New modular 
update capabilities permit the upgrad- 
ing of each piece of the application 
server stack, without affecting other 
aspects of the server. 

Rajiv Chamraj, group marketing 
manager for Java Enterprise Systems, 
noted that the new version of his com- 
pany's enterprise Java stack includes 
management tools that make running 
Java under Solaris easier. A new installer 
automatically configures permissions for 



the various Solaris security zones. 

Sun's Java Enterprise System 5.0 is 
also the first such stack from Sun to sup- 
port Java EE 5, which was released last 
year at Sun's JavaOne conference in San 
Francisco. That means developers can 
take full advantage of Enterprise Java- 
Beans, annotations and many of the new 
identity management tools that Sun has 
produced over the past year. 

For developers looking to deploy to 
the new version of Java Enterprise Sys- 
tem, Sun is offering tooling for Net- 
Beans that should ease the coding 
process. Chamraj added that Sun Stu- 
dio Creator is included with the Java 
Enterprise System, and offers the tools 
developers need to deal with the Java 
DB, AJAX and persistence. I 



PERFECTBUILD 
NOW MANAGES 
DEPENDENCIES 

BY JEFF FEINMAN 

CodeFast, a San Jose-based provider of 
object-oriented build automation and 
management solutions, announced on 
March 23 the release of PerfectBuild 
2007. 

The key feature of PerfectBuild 2007 
is on-demand dependency management, 
which identifies the dependencies in 
source files, reaching across platforms 
and projects to automatically discover 
and track dependencies at all levels, 
then displaying them in a unified view 
for impact analysis. 



Jon Gettinger, vice president of mar- 
keting for CodeFast, said that compo- 
nent-based development has had a ben- 
eficial effect on the build industry over 
the past few years, as it promotes 
reusability, but "building, with all 
these dependencies and relationships, 
[becomes] more complex." Gettinger 
added, "Systems are also a lot bigger, 
and a lot of these legacy systems are slow 
and hard to work with, so organizations 
need a solution like PerfectBuild." 

Founded in 2004, CodeFast created 
PerfectBuild as a build automation 
product with storage for dependency 
information, whether it is source code 
and process dependencies or dynamic 
and static dependency sources. Per- 
fectBuild can also work with a develop- 
er's existing build structure and sup- 
port multiplatform and multilanguage 
builds. I 



NetAdvantage for .NET 2007 
Volume 1 Now Available 



BY DAVID WORTHINGTON 

Infragistics has made available NetAdvan- 
tage for .NET 2007 Volume 1. NetAdvan- 
tage is a presentation layer development 
tool suite that allows developers to build 
applications and style user interfaces 
derived from NetAdvantage controls. 

The release delivers an AppStylist 
tool for ASP.NET that brings .NET 
application styling up to par with Win- 
dows Forms rich clients. The NetAd- 
vantage AppStylist tool for Windows 
Forms now includes express styling, a 
shortcut to custom styling for an entire 
application. 

Prebuilt user interface styles are bun- 
dled for rapid deployments and are 
modeled after the Office 2007 and Win- 
dows Vista "Aero" standardized UIs. 



Developers may also build their own 
customized interfaces that adhere to 
corporate application standards and can 
be made Section 508-compliant for peo- 
ple with disabilities. 

In addition, the company says that 
Windows Forms and ASP.NET controls 
have been improved, and NetAdvantage 
has full Windows 64-bit architecture 
support. 

NetAdvantage is compatible with 
ASP.NET AJAX, software developed by 
Microsoft to extend Visual Studio for 
Web developers. A compatibility patch 
to NetAdvantage for ASP.NET, re- 
leased in January, added support for 
Microsoft's UpdatePanel control, AJAX 
Library, and the ASP.NET AJAX Con- 
trol Toolkit. I 



Real Web Services 

testing FREE. 

Not an eval. 

www.ws-testing.eom 




Start down the path to SO A Quality with a 

free developer license to test with iTKO's 

LISA WS-Testing, What's stopping you? 



Then if you need 

full SOA testing, 

LISA'S here for you. 

www.itko.com/lisa 




LISA 3.5 Complete SOA Test Platform offers 
Complete-, Collaborative and Continuous Testing 
across every layer of your evolving applications. 



0iTKO 

wwwJtko.com 



24 



NEWS 



Software Development Times . April 1, 2007 , 



www.sdtimes.com 



Solstice Shortens SOA Testing Time 

Integra Suite 5.4 scales up and automates testing 



BY DAVID WORTHINGTON 

Service-oriented architecture is 
becoming more commonplace 
in the enterprise, but its com- 
plexity can rob project leaders 
of their resources when defects 
surface within their deploy- 
ments. Defects are understand- 
ably inevitable but are also pre- 
ventable if SOA and integration 
testing occurs early and often. 

Developers are doing just 
that. Bob Carmichael, chief 
technology officer of Solstice, 
has observed what he believes 
is the genesis of massive SOA 
test repositories. Integra Suite 
version 5.4 has been scaled 
upward to accommodate test 
repositories that host thousands 
of test cases, accessible across 
distributed teams. Accordingly, 



Integra has been optimized for 
large message payloads as well. 

Performing tests is an 
impediment developers must 
overcome. Carmichael insisted 
that traditional testing methods 
are not robust enough for SOA 
and that a quality testing 
approach must "open up the 
black box" to validate processes 
across all protocols, messages, 
languages and services. 

Carmichael stressed that in 
addition to increased test cover- 
age, the key to effective SOA 
testing was test automation; this, 
he said, "is easier said than done, 
given the complexities of SOA." 

Integra users can write tests 
against functioning processes, 
but that's just the start. Chal- 
lenges can arise when testers are 



called upon to certify end-to-end 
processes even though some par- 
ticipating systems are unavail- 
able. Solstice offers simulation 
capabilities that can be used to 
build a repeatable regression 
solution, said Carmichael. 

Another hurdle to automation 
is test creation. Integra imports 
test data in industry-standard and 
custom message formats, includ- 
ing XML and two TIBCO-specif- 
ic message formats (Active 
Enterprise XML and Rendez- 
vous), and then automatically 
generates test cases. Its message 
handler framework can accept 
data of any kind, but must be cus- 
tomized for nonstandard formats 
to integrate into test cases. A 
command line utility assists with 
test creation by allowing testers 



to load existing test data into the 
repository in batches. 

Removing hurdles to automa- 
tion allows tests to be written 
and reused throughout the life 
cycle, from infancy to beyond 
deployment, said Carmichael. 
"Release 5.4 reduces the cost of 
automating tests, the most criti- 
cal factor in achieving repeatable 
regression testing." 

Carmichael reasoned that 
Intrega can reduce the cost of 
SOA testing, thanks to its use of 
current test data from BPM 
solutions, then automatically 
repurposing it for automated 
tests. Integra Suite 5.4 is certi- 
fied against all versions of HP 
Quality Center, up to 9.0, and 
has a newly rewritten TIB CO 
platform library. I 



Alternatives to Microsoft UAC Spring Up 



< continued from page 1 

gineered under the assumption 
that all users had administrator 
access to the desktop. If an appli- 
cation does not have the privi- 
leges it requires for a task, it can 
stop dead in its tracks. 

As it stands today, some IT 
administrators must hand over 
local control of the desktop to all 
users — including limited users — 
to make applications work. Users 
with higher privileges can modi- 
fy system settings, install incom- 
pliant applications, and are more 
vulnerable to malware. 

ENTERPRISE READY? 

John Moyer, president of 
BeyondTrust, believes that UAC 
is unacceptable for the enter- 
prise because it is not policy- 
based, allows the user too much 
trust, and runs afoul of least- 
privilege computing. "Essentially 
UAC has failed to meet the 
needs of the enterprise — even 
restricted users would need 
administrative credentials. From 
where we sit, it is a very good 
solution for the home users. 
They own the machine and can 
make those decisions." 

BeyondTrust CTO Marco 
Peretti chimed in, arguing that it 
does not make sense for UAC to 
be the same on all versions of 
Windows Vista. "Microsoft had 
to make a choice, and they chose 
to protect home users over cor- 
porate customers," said Peretti. 

A Microsoft spokesperson 
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said that none of the secu- 
rity features in Windows 
Vista is intended as a "silver 
bullet" solution to comput- 
er security. The spokesper- 
son suggested that Micro- 
soft's "defense in depth" 
approach makes Windows 
Vista more difficult to 
attack and secure than pri- 
or versions of Windows. 

Although Microsoft has 
the technology to keep 
users in restrictive groups 

while creating exceptions UAC prevents an untrusted program from making 
for applications that require any changes to Windows. 
more privileges, it's not yet 
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integrated with Windows. It 
acquired two competing solution 
providers of business-oriented 
policy-based privilege escalation 
software in 2006: Desktop Stan- 
dard and Winternals. 

Desktop Standard's Policy- 
Maker Application Security and 
Winternals Software Protection 
Manager permitted administra- 
tors to elevate a specific applica- 
tion or process' security token 
according to the user type, 
group or computer. Microsoft 
has not shipped any of the prod- 
ucts it acquired individually or 
as part of Windows. 

Desktop Standard's founders 
walked away from the acquisition 
with their PolicyMaker Applica- 
tion Security software and 
became BeyondTrust. Microsoft 
transformed Desktop Standard's 
GPOVault Enterprise software 
into Microsoft Advanced Group 



Policy Management and has 
included it in the Desktop Opti- 
mization Pack for Software 
Assurance. 

Michael Cherry, an analyst 
with research firm Directions on 
Microsoft, noted in an e-mail that 
as a general rule of thumb, 
"Microsoft only brings forward 
products from an acquisition that 
match its product plans." 

A COTTAGE INDUSTRY 

BeyondTrust's PolicyMaker is 
an extension to group policy 
that implements exemptions for 
applications requiring adminis- 
trative-level privileges, while 
keeping users in the same 
restricted security context. It is 
managed through the Microsoft 
Management Console. 

There are rule types for appli- 
cation and ActiveX controls, and 
network shares for deploying 



licensed packages. It is cen- 
trally managed and transpar- 
ent to the user, supporting 
Windows 2000, Windows XP 
and Windows Vista, on both 
32- and 64-bit systems. 

BeyondTrust isn't the only 
vendor bringing policy-based 
least-privilege management 
solutions to the table. Xeriton 
is selling software targeting 
the masses: home users and 
small and midsized business- 
es that have standardized on 
Windows 2000 or Windows 
XP and have not yet adopted 
Windows Vista. 
Xeriton's WindowsZones 
modifies security tokens for 
processes and strips processes 
of privileges that the process 
would normally inherit from the 
user account. Application pro- 
files may also be modified with- 
out running the applications. 

This approach avoids appli- 
cation compatibility issues that 
may arise out of Windows Vista's 
use of limited user accounts. It is 
also necessary because of the 
way that Microsoft implement- 
ed the user account system in 
Windows XP, said Allen Nie- 
man, vice president of business 
development at Xeriton. 

"Microsoft wants people to 
go to Vista to get UAC; they 
don't want to publish a similar 
User Account Control applica- 
tion. They don't want to put new 
technology in an old operating 
system," said Nieman. I 



W3C Seeks 
Open Dialog 
On HTML 

< continued from page 1 

will be drafted with a more 
open process to mollify Web 
developers. Tim Berners-Lee, 
the W3C's director and inventor 
of HTML, commented, "It's 
time to revisit the standard 
[HTML] and see what we can 
do to meet the current commu- 
nity needs, and to do so effec- 
tively with commitments from 
browser manufacturers in a visi- 
ble and open way." 



XHTML SLIDES CLOSER TO XML 

The group's design aim for 
XHTML 2.0— to use applicable 
XML standards rather than 
HTML features — has made it 
distinct from HTML. The W3C 
may go a step further, and has 
taken under consideration the 
option of rebranding XHTML 
to emphasize its independence. 

There are also evolutionary 
changes to element attributes 
and functionality. These changes 
have stirred some controversy: 
XHTML 2.0 is not fully back- 
ward-compatible with HTML, 
because XForms and XML 
Events require user agents not 
found in HTML. 

Schmelzer predicted that 
XHTML will separate the user 
community into two camps. 
There will be one community for 
users of traditional HTML tools, 
best practices and disciplines. 
And a different community will 
emerge for those interested in 
the stricter, more evolutionary 
approach of XHTML. 

"Technically, it is a separate 
language. XHTML makes 
HTML more enforceable and 
imposes XML requirements on 
HTML. It will cause some peo- 
ple some problems because 
Web developers have gotten 
away with lazy coding style. 
HTML is very forgiving; XML is 
much more rigorous and must 
be validated by a schema. This 
will change the behavior of Web 
developers and break them away 
from how they did things in the 
past," said Schmelzer. 

The XHTML 1.0 specifica- 
tion was developed in 2000 — 
without much controversy — as 
an XML formulation of HTML 
4.01. XHTML documents are 
parsed using standard XML 
libraries; HTML requires a 
more intricate custom parser. I 



I 

Simplicity. 



2#» 



Build better Uls with 
our JSF components. 


















I 




C=tV 




Country 




1 Carnpnn 






+ ACHE 




Cjhbflrn 




«M 


to rni i r*giiTTK< 


ElEt WindiQC 




Utt 


1 lib 










| ^K &n r n"D¥f-sli"f 


| 1 FtKt Nam* 


L iad Na me 


bwll 




|l 


Ftian* Numppr 1 


franns 


S&lfwh 


n *nrra .W.NaMMnVFifflrwt.ew 




t&3-6-UB 


J#mn| 


GrWi 


kf iii4.ll B -Cir«iiii|ltCpnn»Plwn 


■DP 


2Ifl-mri 


Chalrni* 


^winiH^ki 


H|Jp*l .N iwinuwi k *SplfindidL>Hi.iTw jiH 4U-H» 


Mil 


Unpp* 


Istrl.D '' = DF.-i^pl«lTeJ.r-du 




&T-41H 


*■ Tun 




Fw ttti 




MA 


| DOM 




mHi 




UK 


t Mirtrnifltt 


rVfrtOl 




» 



.® 



NetAdvantage 

for JSF 2006 Volume 2 

AJAX-enabled JavaServer™ Faces components 







Simplify Complex Data - Our All-New Hierarchical Grid easily organizes and displays 
data in nested grids 

Maintain Readability - Fixed Columns keep critical column data in view while your users scroll 

Built-in Flexibility - Our APIs allow incredible interactive experiences on the web 

Great User Experience - Our AJAX-enabled components turbo-charge your web applications 
for a rich client Ul experience 



learn more: infragistics.com/jsf 

Infragistics Sales - 800 231 8588 Infragistics Europe Sales - +44 (0) 800 298 9055 

WINDOWS FORMS ASP.NET WPF 

grids scheduling charting toolbars navigation menus listbars 



Infragistics 

Powering The Presentation Layer 



JSF 

trees 



19 
§1 

rs in 
n £ 



3 $ 



<S Q- 
co _ 

I' * 



0) ft> 



-g sf 

» if 



^ r6 
9 3 

< (£3 



tabs 



explorer bars editors 



26 



EMBEDDED & WIRELESS NEWS 



Software Development Times . April 1, 2007 . 



www.sdtimes.com 



Adobe's on the Move With CS3 

New design tools enable device-specific content to be created 



BY P.J. CONNOLLY 

Adobe Systems is taking mobile 
devices seriously as a platform, 
as evidenced by the March 27 
introduction of Adobe Device 
Central CS3, simultaneous with 
the launch of the company's 
Creative Suite 3 family. 

Anup Murarka, Adobe's 
technical marketing director for 
mobile and devices, noted that 
Adobe's "focus continues to be 
on creating great experiences," 
and the company sees "the 
mobile phone as a new end- 
point, instead of a print maga- 
zine, or a desktop computer 
and a Web interface." 

Murarka added, "We're see- 
ing such rapid adoption, that 
we believe over the next cou- 
ple of years new mobile phone 
shipments using Flash will sur- 
pass our desktop-installed base 
of Flash players." Last year, the 
Strategy Analytics consultancy 
forecasted that by 2010, there 
will be 216 million Flash- 
enabled handsets in use world- 
wide. Since last year also saw 
the sale of the billionth mobile 
handset, that represents a sig- 
nificant fraction — especially in 
terms of purchasing power — of 
the user base. 

Device Central CS3 is 
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Adobe Device Central allows content designers to view mobile devices sorted by screen size, reducing the chore 
of customizing images for the audience. 



meant to simplify the author- 
ing of mobile content by 
reducing the complexity of 
previewing and testing across 
a broad range of device capa- 
bilities. The CS3 Design and 
Web editions will ship in April 
for Windows XP and Windows 
Vista platforms and Mac OS X; 
both Intel- and PowerPC- 



based Macs will be supported 
with Universal binaries. The 
Production and Master Col- 
lection editions will become 
available by the fall, again for 
Windows XP and Windows 
Vista; on Mac OS X, these edi- 
tions will run only on Intel- 
based systems. 

Device Central CS3 in- 



cludes a built-in library of more 
than 200 mobile device profiles 
from OEMs such as Nokia and 
Sony Ericsson, and carrier pro- 
files from Verizon and other 
operators. Content developers 
can start a project in one of the 
standalone applications and use 
the Device Central features to 
optimize performance for a 



specific device or group of 
devices. 

Murarka noted, "There are 
so many more touchpoints for 
consumers with brands and 
companies that they want to 
interact with." He continued, 
"Much of what we're doing 
from a device perspective, 
from a business perspective, is 
taking the same great cross- 
platform tools [and] cross-plat- 
form runtimes that you're 
familiar with, and bringing 
them into a new platform." 

The device profiles are auto- 
matically updated, and are 
sophisticated enough to simu- 
late backlighting and sunlight 
reflection, and other device 
properties, allowing developers 
to adjust content based on envi- 
ronmental conditions as well as 
the state of the phone. For 
example, under low battery 
conditions, content can be 
delivered in a low-resolution 
mode, economizing on power. 

The company will not sell 
Device Central separately, but 
instead will include it as part of 
the CS3 Design, Web and Pro- 
duction Premium editions, as 
well as franchise products such 
as Flash, Illustrator, Photoshop 
and Premiere. I 



Sybase Adds Cross-Platform Mobile IM 

New features based on OneBridge Messenger to debut by midyear 



BY P.J. CONNOLLY 

Sybase's iAnywhere subsidiary 
jumped on the still-rolling pres- 
ence bandwagon, by announc- 
ing plans to add instant messag- 
ing and presence capabilities to 
its Information Anywhere suite 
for mobile applications. 

Senthil Krishnapillai, iAny- 
where's manager of product 
management, explained the 
role of the new mobile IM fea- 
tures: "We have today a mobile 
e-mail component that is cross- 
platform, both on the device 
side as well as on the network 
side. What this instant messag- 
ing component... [will] do is, 
basically, complement our 
mobile e-mail by providing a 
messaging capability on the IA 
suite." 

The feature set, formerly 
packaged as OneBridge Mes- 
senger, has new capabilities that 



provide single-client access to 
enterprise IM systems, includ- 
ing IBM Lotus Sametime, Jab- 
ber Wildfire and XCP, Micro- 
soft Live Communications 
Server, and Reuters Messaging; 
public IM systems that use 
XMPP (Extensible Messaging 
and Presence Protocol) such as 
GoogleTalk and Jabber are also 
supported. 

The new Information Any- 
where features include logging 
and routing capabilities that 
help companies demonstrate 
compliance with external as 
well as internal auditing re- 
quirements. 

Krishnapillai noted, "We 
help enterprises in two main 
ways: We help them extend the 
instant messaging that they 
are... accepting as another form 
of communication, to various 
mobile devices." He continued, 




'The problem with mobile 
IM today is...the traffic 
never comes into the 
enterprise, because it 
goes right from your 
ISP into [an IM vendor's] 
network.' 



"The second important thing 
that we provide with this solution 
is that we enable enterprises to 
bring all their mobile IM com- 
munications into their auditing 
and compliance policies." 

Palm, RIM BlackBerry, 
Symbian and Windows Mobile 
devices can use the Information 
Anywhere client to broadcast 
users' "presence" — in the con- 



— Senthil Krishnapillai, manager of 
product management iAnywhere 

text of IM, where one is avail- 
able, busy and so forth — to 
other applications that deliver 
content to users when appro- 
priately connected. The client 
allows users to maintain access 
to multiple IM networks; 
BlackBerry and Palm devices 
allow the use of multiparty chat 
as well. 

The new features of Infor- 



mation Anywhere are expected 
to be available this spring and 
are compatible with a number 
of IM management and securi- 
ty tools, including those from 
Akonix, FaceTime and Syman- 
tec, allowing a much-improved 
degree of corporate supervi- 
sion. Krishnapillai observed 
that IM over public networks 
escapes the scrutiny of enter- 
prise policies: "The problem 
with mobile IM today is... the 
traffic never comes into the 
enterprise, because it goes 
right from your ISP into [an 
IM vendor's] network." He 
added, "What we do is we 
establish a secure connection 
between the device and the 
enterprise network, and then 
route all the traffic" through 
the enterprise's monitoring 
tool of choice. 

A Web-based interface and 
over-the-air deployment make a 
degree of self-service provision- 
ing of the mobile IM features 
possible, while data security is 
provided end-to-end, with 168- 
bit DES encryption. I 
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Windows Vista 
Migration 

No Small Feat 

Tweaking a single application to work well 
under new operating system takes time and money 



BY JENNIFER DEJONG 



■ 1/ m indows Vista doesn't come 
1 IT / cheap. 
■ Sm i The business edition of the 
mf w/ new Windows operating system 
^ * software runs about US$200 per 
license — and that's just for the upgrade. 
Add to that the cost of replacing older 
desktop or laptop computers with new 
models powerful enough for Vista to per- 
form well, and a companywide migration 
quickly runs into serious money. (See box 
on page 30.) 

Much has been made in the technol- 
ogy press of the software and hardware 
expenditures surrounding Windows 
Vista migrations. But another key cost 
has been largely ignored: the time 
invested in testing and tweaking existing 
applications to make sure they run 
properly under Vista. None of the nine 
developers whom SD Times spoke to 
for this article (most of whom run all- 
Microsoft shops) assigned an actual dol- 
lar figure to Vista migration projects. 
But almost all of them said that the time 
commitment is not trivial. Because of 
the new security approach Microsoft 
implemented in Vista — known as User 
Account Control (UAC) — migrating a 
single application from Windows XP 
to Windows Vista can take a team 
of developers and testers anywhere 
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from two weeks to a few 
months, they said. 

"It took us several 
months to complete the 
migration," said Cake- 
walk CTO Noel Borth- 
wick, referring to one of 
the digital audio applica- 
tions the software maker sells. 
"UAC sucked the most time out of 
us." To make sure the application devel- 
oped for XP worked properly with Vista's 
new security approach, "you have to exer- 
cise every code path an application can 
take, [figuring out] every permutation, 
every combination," he said. The migra- 
tion process was particularly time-con- 
suming because the Cakewalk application 
in question relies heavily on plug-in soft- 
ware developed by third-party tool mak- 
ers, and the plug-ins had to be tested and 
tweaked as well, he said. 

Readying most line-of-business appli- 
cations for Vista won't take quite as long, 
said Jon Rauschenberger, CTO of Clarity 
Consulting, which offers .NET and Java 
software development services. "We esti- 
mate about two weeks per application." 

The time commitment aside, all of 
the developers said that their Vista 
migration projects have proceeded 
according to plan, and that the migration 
guidelines and the free 
tools provided by Micro- 
soft to pinpoint where 
incompatibilities lie (such 
as the Application Com- 
patibility Toolkit 5.0) have 
proved useful. "Migrating 
an application to Vista is 
like starting a diet or a 
workout plan. It's chal- 
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lenging, but it [pays off] if 
you stick with it," said 
Jonathan Goodyear, president 
of .NET consultancy ASPSoft. 
"The challenges were not beyond what 
Microsoft told us to expect," he said. 
The UAC problem is well documented, 
added Rauschenberger. "It's easy to 
understand what to do." 

VISUAL STUDIO READY FOR VISTA? 

While they were quick to praise Microsoft 
for easing the migration process, several 
of the developers expressed disappoint- 
ment that, as of early March, Visual Stu- 
dio 2005 still fell short of full support for 
Windows Vista. "Peeve No. 1 is that Vista 
doesn't play nicely with Visual Studio 
2005," said Chris Menegay, a principal 
consultant for Notion Solutions, which 
provides .NET development services and 
also sells tools for Visual Studio Team Sys- 
tem. The problem is related to UAC, he 
noted. "The debugger requires elevated 
permissions." Once the permissions issues 
were sorted out, he said, Visual Studio ran 
smoothly. 

To address the problem, Microsoft has 



readied Visual Studio 
2005 Service Pack 1 
Update for Windows 
Vista. At the time of 
this writing, the beta 
version of the update was 
available, and a final ver- 
sion was expected in mid- 
March, according to a 
Microsoft spokeswoman. 
"It's unfortunate. I wish it were 
ready on time," Bill Wagner, founder 
of SRT Solutions, said of the expected 
update. "But the development tool is 
tricky to get right from a security stand- 
point." 

Wagner's company provides develop- 
er training and mentoring, among other 
services. 

At the heart of the UAC problem is 
that much of the code in applications 
designed to run under Windows XP 
requires administrator privileges. But 
Vista forces developers to write code 
that runs as a standard user. Microsoft 
group product manager Jay Roxe said 
UAC is the result of the company's deci- 
sion to implement stronger security in 
Vista. UAC makes it difficult for mali- 
cious software — worms or viruses — to 
take control of a user's computer, he 
said. "One of the first things malware 
tries to do is gain administrator control 
of the machine," Roxe said. 

XP applications that run under stan- 
dard user accounts work fine on Vista, not- 
ed Billy Hollis, who heads .NET consul- 
tancy .NET Masters. But XP applications 
that run under administrator accounts 
cause problems when they are ported to 
Vista because they store data in locations 
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< continued from page 29 

that standard users don't have 
access to, he explained. "They 
need updating because they 
expect to be able to do something 
that Vista won't let them do." 



The time it takes to migrate 
an application to Vista from XP 
is highly dependent on what the 
application does and how it has 
been architected. "If all it's 
doing is storing temporary data, 



there's not a huge amount of 
work," said Goodyear. "You can 
sift through and look for places 
that save files." 

Migrating to Vista is much 
easier if you were following 



good security practices with 
XP, added Wagner. 

One thing that Patrick 
Hynds, president of .NET con- 
sultancy CriticalSites, likes about 
Windows XP is that it allows 
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developers to run older versions 
of Visual Studio on it. "Vista 
doesn't do that," he said. Devel- 
opers targeting Vista are forced 
to use Visual Studio 2005. "We 
have never had a [new] operat- 
ing system that doesn't support 
the previous versions of the 
[development platform]." That 
puts developers in a tough place, 
because plenty of companies are 
still running XP, he said, "or — 
dare I say it — Windows 2000." 
And it's important to develop on 
the operating system the applica- 
tion is targeting, added Hynds. 

Microsoft has said earlier that 
it will not support Visual Studio 
.NET 2002 or Visual Studio 
.NET 2003 as development envi- 
ronments on Windows Vista. 
"We are focusing our efforts on 
ensuring VS 2005 is a great 
development platform for Vista," 
said Microsoft's corporate vice 
president of the developer divi- 
continued on page 32 ► 



VISTA MIGRATION 
DOESN'T 
COME CHEAP 



OPERATING SYSTEM 
SOFTWARE 

Windows Vista Business Edi- 
tion costs US$299 per user, 
$199 for the upgrade; Win- 
dows Vista Ultimate Edition 
costs $399 per users, $259 
for the upgrade. 

HARDWARE REPLACEMENT 

Windows Vista makes heavy 
demands on PCs from a mem- 
ory, processor and video card 
standpoint. While IT shops 
upgrade existing PCs to run 
the new operating system, 
replacement computers are 
often in order. A desktop such 
as the Dell Dimension E521, 
eguipped to run Vista, starts 
at around US$879, while a 
Vista-ready Dell laptop, such 
as the Inspiron E1705, starts 
at about $1,500, according to 
Dell's Web site. 

TESTING AND 
DEVELOPMENT TIME 

Migrating XP applications to 
run properly under Windows 
Vista reguires anywhere from 
two weeks to several months 
of developer and tester time, 
according to developers that 
spoke to SD Times for this 
Special Report. 

—Jennifer deJong 
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Beyond Vista, Longhorn Looms on the Horizon 



BY JENNIFER DEJONG 

Longhorn, the alias given to the 
successor to Windows Server 
2003 that's expected later this 
year, is aimed largely at IT 
administrators. But it also in- 
cludes overhauled Internet In- 
formation Services (IIS). 

That is a big deal for devel- 
opers, said Jon Rauschenberger, 
CTO of Clarity Consulting, 
which provides .NET and Java 
development services. "Most of 
what developers want today they 
have in .NET 3.0, running on 
Windows Server 2003. But IIS7 
is important," he said, referring 
to the forthcoming version of 
Microsoft's Web server. 

With Longhorn, Microsoft 
introduces some significant 
changes to IIS. Chief among 
them is the ability to configure 
and reconfigure separate mod- 
ules of the Web server, selecting 
only those that the Web applica- 
tion in question requires, said 
Steven A. Smith, president of 
ASPAlliance, which operates a 
developer resource Web site of 
the same name. A developer 
can enable and disable modules 
for default authentication, basic 
authentication and anonymous 
authentication, or add one for 
smart card authentication, he 
said, offering an example. In the 
past, everything was baked in, 
he said. "It's much more flexible 
now." 

Keeping things modular is 
the mantra of IIS7, said 
Jonathan Goodyear, president 
of .NET consultancy ASPSoft. 
The ability to run only those 
components that are needed is 
important because it dramati- 
cally reduces the number of 
bugs that developers have to 
deal with. "There was a lot of 




The user interface of the IIS7 
manager now has a 'browser-like 
feel/ says ASPSoft's Goodyear. 



patching going on in the earlier 
version of IIS." And it often 
turned out that the bug resided 
in a part of the Web server that 
the application wasn't even 
using, he explained. 



The user interface of the 
IIS7 manager has also been 
overhauled, said Goodyear. "It 
has a very browser-like feel. I 
think we can all agree the previ- 
ous version was a bit outdated." 



Microsoft expects to ship 
Longhorn during the second 
half of 2007, a company 
spokeswoman said. Longhorn 
Beta 3 will be available by the 
end of June, at which point 



Microsoft will announce the 
final name of the Windows 
Server 2003 successor. Deliv- 
ery dates are not fixed, but 
"development is on track," the 
spokeswoman said. I 



The Definitive View of Windows Vista 



Now that Windows Vista has finally been unleashed on a suspecting public, it's time for complete transparency on 
what Microsoft's new operating system can and cannot do. Is it really more secure? Is it worth the investment? 
The best way to find out is with O'Reilly books. Whether you want Windows Vista to work just for you or for 
hundreds of clients on your network, our authoritative guides shed light on even the darkest corners of this 
OS, and offer an objective view of its capabilities. 




VISTA 



I I h _:■!, LAL L JL k irl.ii 

QRBLLf' 






Windows 

Vista 



i"i" . .S i ! .."i.".il i" ■•.r'.'Lff 




DS£i 



^^V 



Windows Vista 
Administration 



J ■h ffl^iYAY.V IiIimA 








Windows Vista in a Nutsheli 

By Preston Gralla 

ISBN 0-596-52707-1, 750 pages 

$34.99 

■ Documents every important 
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Windows Vista 
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interface, file system, 
networking, hardware, 
security, mobility, multimedia, 
and command prompt. 



O'REILLY* 



Windows Vista: The Definitive Guide 
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■ Customize the operating system 
(regardless of which edition 
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■ Master your digital media 

■ Manage your data 

■ Learn how features work, why 
they work, and how you can 
adapt them to meet your needs 



Windows Vista Administration: 
The Definitive Guide 

By Brian Culp 

ISBN 0-596-52959-7, 856 pages 

$49.99 



Unique problem-solving guide 

Gives you a better 
understanding of Vista's 
innovations and capabilities 

Teaches administrators how to 
leverage Vista to increase worker 
productivity 

Demonstrates how the system 
can best protect sensitive data 



Spreading the knowledge of innovators. 
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DEVELOPERS AREN'T DESIGNERS 



As Windows Vista begins to take hold, a new organizational challenge is emerging: 
how best to integrate designers with the development team. 

"[Enterprise] developers need to get better at talking to designers," said Jon 
Rauschenberger, CT0 of Clarity Consulting, which provides .NET and Java devel- 
opment services. 

With Windows Presentation Foundation (WPF), the graphical subsystem in Win- 
dows Vista that enables the development of sophisticated user interfaces, there is 
a growing need for professional design skills, he said. In the past, such skills were 
reguired only for the development of customer-facing Web applications, he said. 
"But now companies want their internal apps to look good, too." 

In an ideal world, designers will work in WPF. But until that happens, the onus 
is on developers to say to designers: "Give me images in a form that I can pull into 
the application and make them work," said Rauschenberger. 

Developers at Yahoo have found their own solution to that problem. 

The user interface layer of the company's forthcoming instant messaging appli- 
cation for Windows Vista was created in WPF. "Programmers and designers 
are working side by side," said Yahoo lead product manager Josh Jacobson. 
Developers work on "the easy stuff like pull-down menus," while designers tackle 
more complicated issues, such as how to scale the size of a list using animation, 
he said. "[Neither party] is concerned with who owns the code." 

—Jennifer deJong 

Vista Migration 



< continued from page 30 

sion, S. "Soma" Somasegar, in a Sept. 26, 
2006, blog entry. 

SRT's Wagner said Microsoft's decision 
not to support earlier versions of Visual 
Studio does not affect him. "We have 
already moved to Visual Studio 2005" and 
have recommended that our customers 
do so too, he said. There are many com- 
pelling reasons to make the move, includ- 
ing generics and ASP.NET 2.0, he said. 
"We recommend Visual 
Studio 2005 on the basis 
of those two features 
alone." 

That said, customers 
are not moving to Win- 
dows Vista in droves. 

"[Adopting Vista] is a 
year-plus from now for 
most of our customers," 
said Notion Solutions' 
Menegay 

Vista has not yet been 
broadly adopted, added 
Clarity's Rauschenberger. 
"We are seeing the same 
adoption rate with Vista 
that we saw with XP." 

Those that are adopt- 
ing Vista like what they 
find. "Vista is a very cool operating sys- 
tem," said CriticalSites' Hynds. A partic- 
ular favorite of his is the Windows Filter- 
ing Platform, which gives developers 
access to the TCP/IP packet processing 
path in a way that wasn't possible in earli- 
er versions of the operating system. "It 
gives ISVs a window into that stack," he 
said. That makes it easy for them to cre- 
ate firewalls and antivirus software, 
among other applications and services. 

For Cakewalk's Borthwick, Microsoft's 
commitment to making sure multimedia 
works better in Windows Vista, compared 




'The development 
tool is tricky to 
get right from a 
security standpoint. ' 

—Bill Wagner, 
founder of SRT Solutions 



with Windows XP, makes the migration 
woes worthwhile. There are "really cool" 
advantages in Vista for Cakewalk's digital 
audio customers, he said. "They can play 
virtual instruments in real time, without 
any lag time," he said, offering an example. 
Chris Saari, a lead engineer for Inter- 
net search engine Yahoo, praised the Win- 
dows Presentation Foundation (WPF) in 
Vista, which lets developers and designers 
easily build applications with sophisticat- 
ed user interfaces. The 
user interface layer of 
Yahoo Messenger for 
Vista was built entirely in 
WPF, he said. That made 
it easy to add features 
such as animated graph- 
ics to the instant messag- 
ing application, which 
Yahoo expects to make 
available in beta form in 
June. 

"We are just starting 
to see the potential of 
Vista [from the presenta- 
tion point of view]," said 
Saari. Applications devel- 
oped for Vista from the 
ground up are vector- 
based instead of pixel- 
makes for much sharper 
Apps ported from XP to 



based, which 

images, he said. 

Vista don't have that quality." 

The look-and-feel of Vista apps has 
already raised the bar for what end users 
expect, said Rauschenberger. "Once you 
get used to Outlook 2007 and Vista, other 
applications begin to look old," he said. "A 
customer said to me: 'Why don't our 
enterprise applications look like that?' " 

Maybe that's the real hidden cost of 
Windows Vista, he said. Users will want 
all of their applications redesigned with 
Vista's modern look-and-feel, he said. I 
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FROM THE EDITORS 

UAC Means Developer 
Responsibility 

Well, it only took 10 years to do it, but Microsoft may have finally 
found a security scheme for its desktop Windows operating system 
that works. We were impressed when Windows NT launched with its 
intricate privilege hierarchy of users, power users and administrators — 
that is, until we tried to use it. Since then, Windows users have become 
accustomed to accessing their machines with administrator's privileges, 
whether they knew they had them or not. 

Windows Vistas User Account Control (UAC) might not be perfect, 
but it's a long-needed step in the right direction, and makes Windows 
more resilient to end-user mishaps. As Microsoft's first operating system 
that truly operates in least-privilege mode out of the box, it's the biggest 
revolution in Windows security since Windows NT. 

Although it might once have been convenient for developers to 
assume that everyone using Windows had local administrator rights, that 
day is long past. Anyone who writes code for a user base outside the 
garage has run out of excuses for writing code that's poorly behaved or 
requires excessive privilege to function. 

We understand that some long-neglected custom business-critical 
applications might have issues. Microsoft saw that as well, which is why 
features such as a virtual registry and virtual file support are part of the 
new Windows security model. Ultimately, if a business has a custom 
application that can't be made safe for Windows Vista, maybe it's time to 
build one that is up to snuff. 

Macintosh users — long slandered as the tricycle drivers of comput- 
ing — have become used to least-privilege mode and UAC-like prompts 
for credentials, thanks to the Unix-based Mac OS X. The basic security 
model for both Mac and Windows owes much to the structure of Unix's 
user security, proving that security doesn't have to be elaborate, but it has 
to work and it has to allow normal use of the device, without handcuff- 
ing the user. Maybe Microsoft has finally put that lesson into practice. 

The intractable problem is that there's an inevitable trade-off between 
convenience and security. Although UAC may not be a perfect solution, 
it's better than what Windows had before. It may not be as convenient 
for developers and end users to be checking credentials at appropriate 
moments, but it really is time for both sides to grow up a bit and assume 
some responsibility. 

Games Programmers Play 

For many software development managers, their computer gaming 
experiences may begin with Pong and end with Tetris. But as you 
probably know from lunchtime conversation, many — if not most — of 
your developers are likely well-versed gamers. The younger your work- 
ers, the more ingrained video games have become in their minds, just as 
books, movies and television have done for generations before this. 

Thus, it stands to reason that, given a choice of media, many young peo- 
ple today would choose the video game as a preferred means to acquire 
information. And can you blame them? We've all been through horrible 
training videos that insult our intelligence. And just how many binders filled 
with policies and procedures are handed out to your new employees? 

The sad truth is that the video-game generation, while capable of 
incredible feats of intellect and commitment, is also a generation of 
impatience. That's why serious video games are so promising for corpo- 
rations. Right off the bat, playing a game is a far more engaging and 
immersive experience than watching a video. 

Giving employees the chance to play around in a world where they can 
see the consequences of their actions, yet not be injured by them, is about 
as good as it gets in education. And when your employees find themselves 
chuckling and having a good time, they may not even notice that they're 
learning all those policies you've spent so much time creating. I 



LETTERS TO THE EDITOR 

CBuilder Disappoints 



In response to Alan Zeichick's column 
["Tooling Up With CodeGear," Feb. 1, 
page 41], I have used Borland products 
for many years now, in particular the 
C + + and CBuilder family of products. 
I've always praised the integration of 
visual design tools with this program- 
ming environment — something that has 
left CBuilder streets ahead of MFC 
development in terms of productivity. 

I just downloaded the latest version 
of the CBuilder 6 trial, and imagine my 
disappointment at finding that some of 
the productivity benefits have disap- 
peared — without a word of explanation. 

I'll mention a few: 

• Class view (now replaced by the 
structure view). Previously possible to 
view all the classes in a project, and the 
context menu provided access to menu 
items such as "New Property" or "New 
Field." These are gone now, and code 
templates do not add fields automatical- 
ly or stubs to the code file. I don't want 
to make the not-inconsiderable invest- 
ment in Together just to get this back. 

• Refactoring. A great feature. The 
programmers who greeted the addition of 
this functionality (as it's available in nearly 
every free Java IDE) can only sigh at the 
rather limited functionality offered here. 

• Code templates. Not a bad idea but 
appear to lack the smarts to change a 
variable name at every place in the tem- 
plate where it's used — for example, 
when inserting the standard "for (n= 
...)" pattern. No detailed information on 
how to use them. 

• Documentation. Awful. Inadequate 
for the job. I was looking for references 



to "class view" and found myself sud- 
denly in the middle of Microsoft's Visual 
Studio documentation. 

• Emphasis on Delphi. Although C+ + 
programmers can plough through this, it 
is an unnecessary hindrance. Not what 
one is looking for in a RAD product! 

Borland seems to have lost its way, 
and I can only hope that forming a sub- 
sidiary company like CodeGear will give 
it the opportunity to find it again. 

Richard Hawker 

'REAL' MANAGERS 

Great column! David Rubinstein has hit 
it right on the head ["Perking Up," Feb. 
1, page 46]. 

I think it is important to mention 
another trait of a successful company. 
That trait is the ability for managers to be 
a part of the team and not just manage. 
Too many managers are inept and have 
risen to the position because no one else 
will take the job. Those managers should 
realize that the people who work for 
them are many times smarter than they 
are and want to stay as an individual con- 
tributor and not climb the corporate lad- 
der. Many of today's staff players do not 
want the role of a manager, and they 
should be admired for that, not belittled. 

Real managers know they are success- 
ful because of the people who work for 
them. 

Sam Courtney 

CORRECTION 

A story in the March 15 issue incorrectly 
stated that a trial date had been set in the 
SCO v. IBM case. No date has been set. 
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The PDA market grew by leaps and bounds in 2006, according to figures from a Gartner 
report released in February. The report, titled "Dataguest Alert: Worldwide PDA Shipments 
Grew 18.4% in 2006," says that Windows CE maintained its lead among PDA operating sys- 
tems, with Research In Motion in second place and Palm OS clinging to third. 

These numbers do not include smartphone shipments. Although the line between the two 
devices may seem blurry, Gartner defines a smartphone as a voice-centric device that has 
data access features. In contrast, Gartner's PDA definition cites data access as a primary 
role, with voice as an optional component. 
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Bite Vulnerabilities Before They Bite You 



LB. Phoolen 



Firewalls are great if you're worried 
about barbarians attacking your front 
gate. Intrusion detection systems are fine, 
if your goal is to see if unauthorized traf- 
fic is on your LAN; intrusion prevention 
systems work in conjunction with your 
firewall to block that unauthorized traffic. 

Firewalls, IDS and IPS systems, as well 
as anti-virus solutions, spam fil- 
ters, worm detectors — they're 
all worthless, absolutely worth- 
less, when it comes to attacking 
the real causes of software secu- 
rity failures. So, too, are checks 
against buffer overflows, cross- 
site scripting and SQL injection. 
While those vulnerabilities can 
trip up an unwary programmer, 
they're easy to catch. Just about any static 
or dynamic code analyzer can find those 
problems. The real challenge is how to 
handle the most significant software secu- 
rity challenge of our time. 

Puppies. 

Yes, my fellow software architects, 
developers and test/QA professionals, the 
biggest threat to our software infrastruc- 
ture, and the integrity of our data, is pup- 
pies. They look so cute, don't they, with 
their lolling pink tongues, soft waggly ears 
and short little legs. They roll and play and 
want to be cuddled. But don't be fooled. 
Puppies, those innocent little puppies, are 
placing your enterprise software in deadly 




peril. . .and your CEO, if the puppies start 
messing with your Sarbanes-Oxley sys- 
tems. He'll be going down the river. . .and 
you'll be down there with him, if you don't 
take action now. 

Where did this insidious threat come 
from? It's hard to know. Perhaps the first 
puppies merely wanted some fun; they 
wanted to show off in front of 
their litter mates. Nobody 
picks on the runt, you see, if 
he can erase breeding records 
with the click of a mouse. But 
then things got worse. Gov- 
ernment agencies and their 
espionage programs. The mil- 
itary. Commercial interests. 
Terrorists and rogue states. 
They learned how to use puppies to 
bypass virtual private networks, routers, 
firewalls. How in the face of a determined 
puppy, even 256-bit AES encryption is 
about as effective as an old, battered 
squeaky toy. Buffer overflow exploits? Ha. 
Puppies sneer at your pathetic algorithms; 
you might as well not bother. 

The puppy threat is years ahead of our 
technology. Check your Tivoli, your 
OpenView, your Unicenter TNG, even 
Microsoft's MOM. Do any of them detect 
puppies? Not the latest versions, and not 
the current betas. Do they have any facil- 
ities for neutralizing the puppy threat, 
once detected? Not a chance. Microsoft 



Research, the T.J. Watson Laboratories — 
they're hopeless. The experts at the 
Carnegie Mellon Computer Emergency 
Response Team are asleep at the switch. 
The Computer Security Institute doesn't 
have a clue. Even the U.S. National Secu- 
rity Agency and Department of Home- 
land Security lack contingency plans to 
protect our vital enterprise software from 
the puppy scourge. 

You should pool your resources with 
the rest of the IT team. Gather up your 
LAN and WAN managers, end-user sup- 
port teams, data center managers, test 
teams. Heck, even bring the code librar- 
ian. Get the CIO or CTO to bring the 
team together — there's no time to lose! 
Check out the RSA Conference or the 
Software Security Summit, neither of 
which (surprise) have classes or tutorials 
on puppy threat management. Ask, no, 
demand that they address this issue 
immediately We need classes. We need 
patches. We need an action plan! 

Puppies. This time, the rolled-up news- 
paper is not going to be enough. Let's get 
to work, people, before it's too late. I 

LB. Phoolen is the author of "Software 
Security for Blithering Idiots," "Better 
Living Through Bootkit Development" 
and "Social Engineering for Fun and 
Profit. " Bead all of Phoolen s writings at 
ibphoolen. blogspot. com. 
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AMERICA ONLINE'S ubiquitous brand- 
first strategy is no more. AOL has 
emerged quietly as the third-largest 
video portal on the Web, but not for the 
reasons that you might think. Aside from 
the Time Warner connection and its af- 
filiated properties, AOL's partners are 
driving its growth: AOL is an infrastruc- 
ture provider. 

AOL has even opened up some of its 
source code and APIs, and it intends to 
reveal more in the future. WebEx built 
its AIM Pro Business Edition enterprise 
instant messaging software through 
AOL's Open AIM initiative. AOL wants 
you, the trendsetting Web 2.0 develop- 
ers, to be stakeholders in its brand. 

The reception it receives from devel- 
opers will be crucial to the success of the 
rebranding. Developers will contribute 
to AOL's "brand energy" if they have a 
positive association with its products. 

-David Worthington 

ALWAYS AN ARDUOUS undertaking, the 
challenge of gathering requirements just 
gained another level of complexity. Devel- 
opers need to teach business users how 
new technology can fundamentally 
change what they want an application to 
do. Bill Wagner, founder of software de- 
velopment services firm SRT Solutions, 



gained that insight while working with 
Windows Presentation Foundation, the 
sophisticated graphics system in Windows 
Vista and .NET 3.0. Users tend to explain 
what they want in terms of what they al- 
ready have, he said. But technologies like 
WPF enable them to ask for more. Re- 
quirements gathering is essentially an in- 
formation-seeking process, in which de- 
velopers and analysts must accurately cap- 
ture the dozens of variations on who uses 
the application to do what. But first, they 
should tailor the process to show users 
something better than they had before. 

-Jennifer dejong 

MAYBE IT IS NO COINCIDENCE that 
Hewlett-Packard shares initials with boy 
wizard Harry Pot- 
ter. I am reminded 
of a scene in "Harry 
Potter and the 
Goblet of Fire," 
where Harry grabs 
the prized Tri- 
Wizard Cup, only 
to find a malevolent 
spell has been put 
on the prize that transports him into the 
hands of the bad guys. To me, Harry's 
grabbing the TriWizard Cup is similar to 
HP's acquisition of Mercury. HP 




grabbed hold of a very strong ALM 
piece, but in the eyes of some, it's 
brought them trouble. Mercury pulled 
in revenues of US$584.4 million in 2005. 
With customer loyalty reflected in those 
numbers, it is inconceivable to think that 
HP dropped the Mercury product 
name. Time will tell if they, like Harry, 
can persevere in the end. 

-Jeff Feinman 

MICROSOFT'S RECENT PURCHASE of 

Tellme Networks really spoke to me. Not 
because I'm a big fan of voice recogni- 
tion: Nothing that I have tried impresses 
me. The voice-activated phone services 
that Tellme specializes in supplying are 
useful but are also pretty simple. They 
have to cope with a limited vocabulary. 
Now for a real challenge, Microsoft 
could try building voice recognition that 
actually works into Word, and other 
tools. I've tried the better dictation prod- 
ucts that I can find, and they all leave me 
cold. Although I'd rather not dictate a 
1,500-word article, it would be nice to 
have software that could transcribe inter- 
views for me — or at least, allow me to fo- 
cus on the technical details while the 
software takes care of the uhs, ers and 
urns. Microsoft is perhaps the only com- 
pany with the resources to make this 
dream a reality, so this sign of commit- 
ment gives me another reason to live. 

- P.J. Connolly 
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11 [Jut this isn't a silver bullet!" Fabian 
U insisted. "It's a djinni-bearing magic 
lamp! Not just one thing — you get three 
things!" 

"I don't have time for this," I 
groaned. "I'm just trying to control how 
bad we slip." 

"What's your biggest problem?" 

I gave in. "My biggest problem right 
now is that, contrary to what we'd been 
told earlier, it turns out that what was 
supposed to be static data is not stable at 
all. Never mind that I'm eventually going 
to have to switch the application to a live 
feed; I have to at least incorporate the lat- 
est changes. While we can regenerate the 
database from scratch, that takes several 
days to run and test. So I've been writing 
a utility that tries to find, diagnose and 
match up changes. But even that utility 
takes several hours to run. If I screw up 
the logic, I'll corrupt the database. I can 
roll back the changes and try again, sure, 
but realistically I only have a couple of 
shots at it before our scheduled release." 

Over the phone I heard a rubbing 
noise and then an invocation: "Oh, great 
djinni! Make specifying the logic of a 
program 10 times easier," cried Fabian. 

"Try it now," he said to me smugly. 

"Thanks, but that won't help. The 
transactions are trivial to program. I've 
talked about how I've come to rely on unit 
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I Dream of Djinni 

tests for relieving the stress of just such 
refactorings, whether they're in the appli- 
cation or the database. Without unit tests, 
changes are invariably stressful precisely 
because there's no other way to rapidly 
determine if you've made a mistake." 

"You make it sound like you'd prefer 
unit tests to a djinni in a lamp!" exclaimed 
Fabian. 

"Sure, I'd probably accept 
the proposition that unit tests 
make refactorings an order of 
magnitude easier to imple- 
ment. But that alone doesn't I 
make software development I 
10 times faster. This is a situa- I 
tion where I was told some- 
thing simply wrong about what 
was and was not invariant. You 
can't unit test — or djinni — 
your way out of problems like that." 

"Never mind that, then. Give me 
another problem, and I'll put the djinni 
to work." 

"Just recently, one of the several clients 
scheduled to use this system told us that 
for a certain vendor with whom they have 
a side contract, costs will come from 
their system as zero dollars, and such line 
items have to be ignored when calculating 
averages for reporting purposes." 

"I know you've told me that client-spe- 
cific logic in a general-purpose component 
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like a reporting module is ugly, but surely 
that's just a line or two of code to change." 
"We use a report generator," I ex- 
plained. "It's a good tool and I'm sure it 
decreases the overall time of developing 
reports by 90 percent. But it uses a binary 
format and doesn't support runtime tem- 
plating, so we have a hundred reports that 
must be individually changed." 
Again I heard a clatter and, 
in the distance, "Oh, great 
djinni! Make Larry's report 
generator use an open format 
that supports runtime tem- 
plating!" When Fabian picked 
up the phone, I felt bad telling 
^f w him it wouldn't work. 

"We still have to check 
every report. We can't just 
redefine every use of 'average' 
to ignore zeroes. This type of client-spe- 
cific, context-dependent logic is part and 
parcel of the job, and you can't discover 
it all in advance. Heck, the client had 
seen and approved sample reports. It 
was only when we got into testing with 
real data that they said 'Oh, this is 
wrong.' " 

Then I told him how, three weeks 
before scheduled delivery, we had a big 
presentation for our suppliers — spotless 
conference room, PowerPoint slides, 
sushi plates, that sort of thing. And how 



Larry 

O'Brien 



a $300-per-hour consultant who hadn't 
seen a line of code had said, "Why do 
you calculate costs that way instead of 
this other way, which will save you pen- 
nies per transaction?" and orchestrated a 
cluster-talk between the supplier, our 
CEO and himself in which they agreed 
that things must change. And how they 
then went out to dinner and undoubted- 
ly congratulated themselves on the mon- 
ey that the consultant-without-keyboard 
had saved them. And how, when we 
should have been poised for the data 
disasters and reporting snafus, we 
instead were busy implementing the 
change, which indeed saved us pennies 
in providing an above-the-line cost, but 
which had the slight problem of not 
being able to calculate taxes and thus 
was worthless. When I was done with 
the story, I took a deep breath. 

"Can you phrase the problem in the 
form of a djinni-compatible wish?" Fabi- 
an asked. 

"That executives should dance with 
who brung them and ignore the recom- 
mendations of bloviating consultants 
who couldn't program their way out of a 
partially sorted list?" 

It was Fabian's turn to be dismissive. 
"Now who's indulging in fantasy? If you 
don't want my help, fine. Oh, great djinni! 
Give the Red Sox the pennant again!" I 

Larry O'Brien is a technology consul- 
tant, analyst and writer Read his hlog at 
www. knowing, net. 



Deciding on Metrics 



There is no doubt that code metrics 
are beginning to emerge as valuable 
tools to development managers and pro- 
grammers. Borland, CodeGear, Com- 
puware and IBM have all released prod- 
ucts with metrics-capturing capabilities, 
thereby joining Enerjy CQ2 (the market 
leader in metrics capture and display). 
Many of the metrics still revolve around 
raw data: lines of code, defect counts 
and the like. They quantify various fac- 
tors about the projects and present 
them unvarnished for thoughtful con- 
sideration. 

Because the wider use of metrics is 
only now emerging for real, I find that 
we are not as smart as we think we are 
in terms of knowing what raw measures 
to capture. For example, I recently 
visited the folks at Agitar, who make 
some unique tools for unit testing. Dur- 
ing our conversation about the state of 
the art, they casually mentioned two 
raw data measures that I had never 
heard used. 

The first of these was the ratio 
between the size of the codebase of 
unit tests to the size of the project 
codebase. Agitar engineers maintain 
that when there is parity between the 
two (that is, you have as many LOC in 
your tests as in your base project), you 
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have a well-tested program. In their 
experience, this much code represent- 
ed about 70 percent code coverage by 
unit tests — a very good number. This 
was the first time I'd ever heard anyone 
prescribe a baseline identifying how 
much unit-testing code is desirable. 
(Readers unfamiliar with the question 
might wonder why 70 per- 
cent of code is good, when 
100 percent is possible. The 
answer is that there is a lot of 
code for which writing tests 
is pointless. For example, 
getters and setters rarely 
need to have tests written for 
them. In fact, writing tests 
for them is frowned upon, as 
those tests take time to write 
and to run, and they produce 
no useful information.) 

What is interesting about the size of 
the codebases is that few tools capture 
the size of the test codebase, and yet 
suddenly this is a useful measure. 

Another point Agitar engineers made 
is that counting unit tests has limited val- 
ue. What you probably want to know is 
how many test points you have. Test 
points are the individual asserts that 
occur inside a unit test. Many unit tests 
have multiple assert statements, and so 




counting these gives you a better idea of 
how much testing is occurring. I have 
not found any metrics package that 
counts test points. Yet I agree with Agi- 
tar — it is a better measure. 

There is a second category of met- 
rics that is also emerging: calculated 
metrics. A simple example is cyclomat- 
ic complexity, which mea- 
sures the number of code 
paths in a single function or 
method. The higher this 
benchmark, the more code 
paths you have, and the more 
likely bugs will occur. The 
idea is that routines with 
high cyclomatic complexity 
should be broken apart into 
separate methods — thereby 
enhancing clarity. 
There are as many ways of calculating 
new metrics as there are formulas 
emerging for measuring the production 
of baseball players. It is becoming a 
numbers fest, in which the earnest seek- 
er is swamped with numbers that have 
no particular value. 

However, one derived metric that 
warrants consideration is the maintain- 
ability index (MI), first developed in 
1994 by researchers at the University of 
Idaho. The MI combines four factors: 



cyclomatic complexity, Halstead com- 
plexity (a ratio of the number of unique 
operators and operands to the total 
number of operators and operands in 
the codebase), the size of the codebase, 
and the percentage of comment lines. 
The MI ranges from -100 (very bad) to 
+200 (excellent). And knowing how 
your project rates gives you an objec- 
tive criterion for knowing whether 
refactoring is needed. The important 
thing to note is that the MI does not 
measure quality, but rather how diffi- 
cult it will be in the future to maintain 
the code. In other words, it helps you 
project cost of changes and likelihood 
of bugs, which are undeniably proxies 
for code quality. 

In a recent, very well-written book 
titled "Code Quality — The Open Source 
Perspective," Greek researcher Dio- 
modis Spinellis runs the MI over the his- 
tory of open source projects and con- 
cludes what we know intuitively — that 
the MI declines as projects grow. This 
reflects the habit of adding and changing 
code without refactoring it. By tracking 
MI over time on projects, developers 
and managers alike can make sure code 
quality does not deteriorate, and they 
thereby keep legacy code from becom- 
ing brittle and unmanageable. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. Read his hlog at 
binstock. hlogspot. com. 
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Spring Rebirth at CA 



Industry Watch 



A solitary duck floated in the man- 
made pond at the south end of CAs 
campus on Long Island as I turned my 
car into the drive. It was a beautiful har- 
binger-of-spring day; the trees would 
soon have buds, and flowers would add 
color to the landscape. 

Inside, the feeling of rebirth was just 
as strong. The aura, or mystique, of 
founder Charles Wang and 
Sanjay Kumar no longer was 
palpable. Their legacy re- 
mains in the photo developing 
shop on the ground floor, next 
to the gourmet cafeteria, but 
their presence isn't strongly 
felt anymore. The financial 
scandals and layoffs seemed 
longer ago than they were. 
Even the name Computer 
Associates, for so long visible 
from a stretch of the Long Island 
Expressway, has been replaced by the 
new CA logo. 

Inside, people were moving toward 
meetings, or grabbing a snack, or busy at 
their workstations. It simply felt like a 
place where people went about their 
business, like any other office. So it was 
not without a touch of irony that the 
focus of CAs application development 
strategy is on legacy modernization. 

Part of the reason for my visit to CA 
was to find out if in fact they had an 
application development strategy at all. 
You see, in a 2004 conversation with 




then-executive vice president Russell 
Artzt, I was told that developer tools 
were not really core to CAs business, 
and that they would be put into a vague 
"CA Products Group" business unit. 

Maurice Donegan, a vice president of 
marketing, said CAs new mantra is "uni- 
fy and simplify." Unify development 
with the needs of the business, putting it 
in position to take advantage 
of new technologies. Simplify 
the work, so people with less- 
technical skills can be pro- 
ductive with what IT gives 
them. "This plays into all 
lines of business," he said, 
indicating that CA is looking 
for growth opportunities for 
its model-driven application 
development tools — the Gen 
modeler and developer envi- 
the Aion business rules 
and the Plex RAD tool. 

if you're not a mainframe 
shop, you can probably stop reading 
here. But if you are, you undoubtedly 
know CA, and its argument for moving 
COBOL apps onto the more modern 
distributed systems is compelling. 

"It's an opportunity to open doors and 
have a frank discussion of where they're 
going forward with their business apps, 
and to see what are the project manage- 
ment, software management and securi- 
ty issues," Donegan said. "That plays into 
our other key growth areas." 



ronment, 
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One of those growth areas is SO A, 
and vice president of development Ter- 
rence Clark detailed CAs approach, with 
the Harvest distributed change manag- 
er, Endevor mainframe SCM tool and 
Enterprise Workbench development 
environment. Change management is 
the key, Clark explained, as most IT 
problems arise as the result of some- 
thing changing in the system. An impor- 
tant piece, he said, is a configuration 
management database that ties in all 
components that make up an IT service, 
whether it's infrastructure or an applica- 
tion, and allows users to pinpoint prob- 
lems more quickly. 

The technology, Clark explained, 
supports the IT Infrastructure Library 
processes — version 3 is coming out, but 
it still is not joined with application 
development. That's a shortcoming, 
according to Brian Johnson, who joined 
CA "two and a bit years ago" after hav- 
ing helped write an ITIL book under 
the auspices of the British government. 
"We're trying to convince people in 
development that there's a home for 
processes." 

"Legacy modernization and SOA are 
big opportunities for us," Donegan said. 
"It opens up the conversation for us 
regarding other transformational issues, 
such as ITIL, CM, incident and perfor- 
mance management and security." 

CA, it appears, is undergoing a bit of 
a transformation itself, at least as far as 
application development goes. I 

David Rubinstein is editor-in-chief of 
SD Times. 



Speaking of Sports... 



BY I.B. PHOOLEN 

Just in time for the end of basketball sea- 
son and nowhere near the beginning of 
summer football, SD Times will debut a 
new sports column called, cleverly 
enough, "Speaking of Sports," wrapping 
up all the action of your favorite college 
and professional teams. 

Written in a purely gonzo journalistic 
style by new columnist Thompson S. 
Hunter, this won't be your father's 
sports column. 

You'll feel like you have a courtside 
seat as the Mildcats from MIT deter- 
mine the angle of elevation required for 
a successful free throw when a 6-11 
center is shooting 15 feet from a 10-foot 
high basket — and then write an algo- 
rithm to automate the process and 
remove the human drama! Then, 
Hunter will make you feel the agony of 
defeat when MIT's potential game-win- 
ning basket is nullified by an improper 
procedure call. 

"Speaking of Sports" will make you 
thrill to the action when the No. 
3.14159 car from Cal-Poly wins the 
Indianapolis 500 by an amazing 350 



laps, using a jet engine cus- 
tomized to get a 1966 
Chevy Impala moving 
at Mach l! Only ' 
"Speaking of Sports" can 
catch you up in the win- 
ner's circle, and make sense 
of an interview given by a dri- 
ver whose face has been sub 
jected to 7gs of force. 

In his debut column, to perhaps 
appear someday in these pages, 
Hunter rips the covers off the scan- 
dalous practice of blood-doping among 
programmers. He writes: "With the fin- 
ish line still nowhere in sight, Sanjay 
hoisted another Red Bull and drained 
the can in one gulp, then smashed it 
into his forehead and began an 
eardrum-busting diatribe about the 
shortcomings of his teammates, who by 
this time were on the down side of 
peaking from their own stimulants, 
heads nodding into their keyboards and 
writing ]]]]]]]]]]]]]]], their self-imposed 
sleep deprivation getting them no clos- 
er to reaching their goal than they had 
been before they started drinking." 




The clarity, 
the pacing, the stream of consciousness 
babbling. . .you won't get writing like that 
anywhere else. Why would you want to? 
So look out for "Speaking of Sports". . .it's 
addicting! I 

Retired test engineer LR. Phoolen always 
shoots under par Read all of Phoolen s 
writings at ibphoolen.blogspot.com. 
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For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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xmlspy 
aoo7 



Bring your 

development 
plans to light 



Sneak a peek at XMLSpy 2007, 
and see how vital it is to master XML, 

Revealed in XMLSpy 2007; 

• Completely redesigned graph real WSOL editor 

• New XPath Analyzer window thai stores multiple 
expressions and results 

• Advanced find-in- file 5 search and replace capability 



Attouaf* XMLSpy. the industry standard XML development 
environment, is indispensable for modeling, editing, trans- 
forming, and debugging XML-retated technologies. Illuminate 
your strategy with Ihe world's leading XML editor, the original 
graphical schema designer, a code generator, file converters. 
debuggers, profilers, support for XSLT r XQuery, WSDL. SOAR 
and a wealth of brilliant XML utilities and enlightened 
usability aides, Become a markup mastermind! 
Download XMLSpy* 2007 today: 
www.altova.QQin 




*£^ 






^ 



XMLSpy is atso 

available at part -jI 

1he value-packed 

AftiLwa MI&s+onKiT 
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Ship Software OnTime! 

(watch the videos or download the free software at a xosoft.com/jdffmeiJ 



Are You Responding to Customers OnTime? 



OnTime 200 

bug fractdng * r&qurements management * heipde 
foragtie, scrum and extreme development teams 



